New Gogs zero-day flaw lets hackers get remote code execution

An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.

Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.

This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.

However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burges (who discovered the flaw) said the vulnerability affects all Gogs servers with default configurations.

"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burges warned on Thursday.

"Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."

Successful exploitation allows attackers to execute arbitrary code remotely as the Gogs server process user via pull requests that use a malicious branch name to inject the "—exe"c flag into git rebase during the "Rebase before merging" merge operation.

They can abuse this security flaw "to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code."

Burges added that this vulnerability is similar to other argument injection flaws (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) addressed by Gogs in recent years, but affects a different code path (Merge()) that was never patched.

The researcher reported the security flaw to the Gogs maintainers on March 17, but they have yet to provide a patch or respond to further requests for a status update, despite acknowledging the report on March 28.

Internet security watchdog Shadowserver now tracks over 2,400 Gogs servers exposed online, most of them in Asia (1,894) and Europe (319), while Shodan found just over 1,000 IP addresses with a Gogs fingerprint.

Gogs servers exposed online (ShadowServer)

In early December, the Gogs security team patched another Gogs RCE vulnerability (CVE-2025-8110) that was exploited in zero-day attacks to compromise hundreds of servers.

"Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface," Wiz security researchers (who reported the flaw) said at the time.

Wiz Research discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July and reported the flaw to Gogs maintainers on July 17. They acknowledged Wiz's report three months later, on October 30, and released CVE-2025-8110 patches in early January.

On January 12, CISA confirmed Wiz's report that the CVE-2025-8110 was under active exploitation and added the security flaw to its catalog of vulnerabilities exploited in the wild, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by February 2.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned at the time.