Critical Zero-Day Flaw in Gogs Git Service Allows Remote Code Execution

A critical zero-day vulnerability in the Gogs open-source self-hosted Git service allows authenticated attackers to execute arbitrary code on servers ^[1].

This flaw poses a significant risk to organizations using self-hosted version control, as it enables an attacker to gain full control over the server environment. Because Gogs is often used for internal development and private code repositories, a breach could expose proprietary source code and sensitive credentials.

The vulnerability is classified as an argument injection flaw ^[1]. It resides in how the service handles branch-name arguments during the processing of pull requests ^[2]. An attacker can exploit this by creating a pull request with a specially crafted, malicious branch name ^[3]. This manipulation allows the attacker to bypass security controls and achieve remote code execution (RCE) on internet-facing installations ^[1].

Security researchers have assigned the vulnerability a CVSS score of 9.4 ^[1]. This score indicates a critical level of severity, reflecting the ease with which an authenticated user can trigger the flaw and the high impact of the resulting server compromise ^[1].

Administrators of Gogs installations are urged to review their security configurations and apply available updates to mitigate the risk. The vulnerability specifically targets the mechanism used to process branch data, meaning any user with the permissions to create a pull request could potentially jeopardize the entire host system ^[2].