Skip to main content
Emerging Threats

Gogs Zero-Day Flaw Enables Remote Code Execution on Exposed Servers

Server room with rows of equipment, one server prominently displayed in foreground.

"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Rapid7 senior security researcher Jonah Burges warned on Thursday.

What Rapid7 reported and the status of the flaw

Burges disclosed an unpatched zero-day in the Gogs self-hosted Git service that can allow remote code execution (RCE) on Internet-facing instances. The critical-severity argument-injection flaw affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev) and has not yet been assigned a CVE ID. Although exploitation requires an authenticated user without admin privileges, Burges said the vulnerability affects "all Gogs servers with default configurations." He reported the security flaw to the Gogs maintainers on March 17; maintainers acknowledged the report on March 28 but, according to the researcher, have not provided a patch or responded to further status requests.

How the exploit works: branch names, rebase merging, and --exec

Successful exploitation uses pull requests that include a malicious branch name to inject the "--exec" flag into git rebase during the "Rebase before merging" merge operation. That injection lets an attacker execute arbitrary code remotely as the Gogs server process user. Burges warned attackers can abuse the flaw "to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code."

Rapid7 noted the bug is similar to previously addressed argument-injection vulnerabilities — for example, CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930 — but it hits a different code path, Merge(), that was never patched.

Gogs defaults and the size of the attack surface

Gogs is a self-hosted Git service written in Go, designed as an alternative to GitHub Enterprise or GitLab, and is often exposed online for remote collaboration. Burges emphasized that the default configuration makes exploitation straightforward: "Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."

Internet security watchdog Shadowserver now tracks over 2,400 Gogs servers exposed online — most in Asia (1,894) and Europe (319) — while Shodan identified just over 1,000 IP addresses with a Gogs fingerprint. Those counts underline the scope of instances potentially reachable by attackers if the flaw remains unpatched.

Recent precedent: CVE-2025-8110, Wiz, and CISA action

The report arrives less than a year after another Gogs RCE. In early December, the Gogs security team patched CVE-2025-8110, which had been exploited in zero-day attacks to compromise hundreds of servers. Wiz Research discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July and reported the flaw on July 17; Gogs acknowledged that report on October 30 and released patches in early January.

On January 12, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed Wiz's report that CVE-2025-8110 was under active exploitation and added the vulnerability to its catalog of flaws exploited in the wild, ordering Federal Civilian Executive Branch agencies to secure their servers by February 2. At the time, Wiz security researchers warned: "Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface."

What this means for technologists, federal agencies, and instance operators

  • Technologists and security teams: Expect to treat default-enabled open registration and unlimited repo creation as a material risk on exposed instances; rapid mitigation will depend on configuration hardening and temporary disabling of rebase-before-merge behavior where feasible.
  • Federal agencies and regulators: The prior CISA action on CVE-2025-8110 signals that known exploitation of Gogs can trigger formal directives; agencies with Internet-facing Gogs servers will likely need to inventory and secure those assets quickly if exploit code appears in the wild.
  • Instance operators and maintainers: Operators running default-configured Gogs instances face a broad attack surface because unauthenticated actors can register, create repos, and enable rebase merging — steps Burges highlights as sufficient to mount the exploit chain without other users' interaction.

The short record of acknowledgment without a patch leaves a clear, immediate question: with default settings that permit account creation and repo ownership by registrants, how long will Internet-facing instances remain exposed? Until a fix is released and widely deployed, the combination of a low bar for account creation and a way to inject arguments into git rebase creates a risk that is both practical and urgent.

Source: BleepingComputer