Emerging Threats

Gogs Fixes Zero-Day Flaw Enabling Remote Code Execution

Analyst 207||Source: BleepingComputer
Rows of computer servers and racks in a server room with a researcher in the background.
"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Rapid7 researcher Jonah Burgess warned two weeks ago.

The vulnerability and the exploit chain

Gogs maintainers patched a critical argument-injection flaw that can enable remote code execution and full compromise of Internet-facing instances. The flaw — which has not yet been assigned a CVE ID — can be exploited by authenticated attackers who do not need administrative privileges. Rapid7's report says the bug affects "all Gogs releases up to and including 0.14.2 and 0.15.0+dev" and allows an attacker to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally within a network, and alter hosted source code.

Rapid7's Burgess described the root cause as an argument-injection weakness in a Merge() code path that had not previously been addressed; he also noted the flaw is similar to several past argument-injection issues the Gogs team patched (CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930), but affects a different function and therefore escaped previous fixes.

Default configuration makes exploitation simple

Burgess emphasized that the bug is practically exploitable on default-configured servers because Gogs ships with open registration and no limit on repository creation. "Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user," he wrote.

That configuration reality amplifies risk: Shadowserver currently tracks more than 2,300 Internet-exposed Gogs servers, with 1,839 located in Asia and 312 in Europe, and Shodan lists just over 1,000 IP addresses returning a Gogs fingerprint. Those exposure figures underline how many instances could be affected without defensive configuration changes or an immediate software update.

Patch, disclosure timeline, and vendor action

Rapid7 publicly disclosed the vulnerability after what it described as a lack of response to multiple status updates. Ten days after that public disclosure, Gogs maintainers released version 0.14.3 on June 7 to address the flaw and requested a CVE ID for the issue. Rapid7 said the fix was implemented via pull request #8301 and "recommends that all Gogs users upgrade immediately."

The vulnerability remains without an assigned CVE at the time of the patch release; Rapid7 explicitly noted the absence of a CVE ID in its advisory.

Mitigations for unpatched instances

  • Restrict user registration: set DISABLE_REGISTRATION = true in app.ini. Rapid7 called this the most impactful mitigation because the exploit is self-contained within a single user's repository.
  • Restrict repository creation: set MAX_CREATION_LIMIT = 0 in app.ini, or use the per-user "Max Repo Creation" control in the admin panel. This blocks the easiest attack path — creating a new repo with rebase enabled — but does not stop users with write access to existing repositories from exploiting the flaw.
  • Audit rebase merge settings: "Rebase before merging" can be disabled per repository under Settings > Advanced, but Rapid7 warned this is not an effective defense against a malicious repository owner or admin who can simply re-enable the option.

What this means for technologists, policymakers, and administrators

Technologists and security teams: Rapid7's guidance is unequivocal — upgrade to Gogs 0.14.3 immediately where possible, and apply the configuration mitigations if a patch cannot be deployed at once. The available exposure data from Shadowserver and Shodan gives teams concrete inventories to check.

Policymakers and regulators: Past precedent is relevant. The report notes that an earlier Gogs RCE (CVE-2025-8110) was exploited in zero-day attacks and that, on January 12, CISA confirmed CVE-2025-8110 was being abused in the wild and added it to its catalog of actively exploited vulnerabilities, ordering Federal Civilian Executive Branch agencies to secure their servers within three weeks, by February 2.

Enterprises and administrators: If your instance uses default settings, an attacker can become a repository owner with a single created account and exploit the Merge()-path flaw without further interaction. That fact makes both rapid patching and immediate registry/repository restrictions practical first steps.

Gogs 0.14.3 is available and the fix is tracked in pull request #8301; Rapid7 has requested a CVE and continues to recommend immediate upgrades and the configuration mitigations detailed above. The default-open surface that Gogs ships with — combined with thousands of exposed hosts — created the conditions for rapid exploitation; until operators update, the simplest defensive move is to close registration and limit repository creation.

Original report

Emerging ThreatsRemote Code ExecutionSupply ChainVulnerability ManagementZero-DayOpen-Source SoftwareGogsArgument Injection
Related Intelligence

Continue Reading

High school hallway with scattered papers and concerned people, laptop screen blurred in foreground.

Ransomware Disrupts Illinois High School, Wales Education Sector

A ransomware attack has forced Evanston Township High School in Illinois to shut down until at least Wednesday, canceling summer school, sports camps, and on-campus activities. The school has activated its incident response procedures and is working with cyber experts to investigate and recover from the breach.

Analyst 207
Brightly lit coding workspace with laptop showing GitHub/GitLab page surrounded by coding materials and documents.

North Korean Hackers Exploit Coding Lures to Steal Crypto Credentials

In a sneaky move, North Korean hackers sent over 250 emails with innocent-looking coding tasks to nearly 100 US-based organizations, tricking them into handing over cryptocurrency credentials. The clever phishing scam, tracked as UNK_DeadDrop, targeted tech, education, and finance firms, with a special focus on cryptocurrency companies.

Analyst 207
Dimly lit software development workspace with rows of computer workstations and coding materials.

Miasma Worm Exposes GitHub Repositories in Supply Chain Attack

A sneaky Miasma worm has infiltrated 73 Microsoft GitHub repositories, putting countless projects at risk in a self-replicating supply chain attack. This malicious campaign is a stark reminder of the rapidly evolving threats lurking in the shadows of our digital supply chains.

Analyst 207
GitHub office interior with developer workstation, server racks, and city view.

GitHub Disrupts Microsoft Repos Amid Suspected Worm Infections

GitHub took drastic action, removing over 70 Microsoft repositories and disrupting critical code pipelines, after detecting suspected worm infections. This swift move has left many automated builds and deployments in limbo.

Analyst 207