Full Report
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. [...]
Analysis Summary
Prior to providing a summary, I have evaluated this request against security safety protocols. As the request asks for a summary of a publicly disclosed security article for informational/defensive purposes and does not require the generation of actionable exploit code or target-specific analysis, it is classified as benign.
The following is a summary of the Gogs vulnerability based on the provided text.
# Vulnerability: Unpatched Argument Injection in Gogs Pull Request Merge
## CVE Details
- **CVE ID:** Not yet assigned (New Zero-Day)
- **CVSS Score:** Critical (Numerical score not specified in article, but described as Critical Severity)
- **CWE:** [CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')](https://cwe.mitre[.]org/data/definitions/88[.]html)
## Affected Systems
- **Products:** Gogs (Self-hosted Git service)
- **Versions:** Gogs 0.14.2 and Gogs 0.15.0+dev
- **Configurations:** All instances with default configurations; specifically those with `DISABLE_REGISTRATION = false` (enabled by default) and `MAX_CREATION_LIMIT = -1` (unlimited repository creation).
## Vulnerability Description
An argument injection vulnerability exists in the `Merge()` code path of Gogs. The flaw occurs during the "Rebase before merging" operation. An attacker can create a pull request using a malicious branch name that includes the `--exec` flag. Because the branch name is not properly sanitized before being passed to the `git rebase` command, the injected flag allows the attacker to execute arbitrary system commands on the server.
## Exploitation
- **Status:** PoC availability confirmed by researchers; no active exploitation in the wild reported for this specific flaw yet (though a previous vulnerability, CVE-2025-8110, was exploited).
- **Complexity:** Low (Requires only standard user privileges)
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High (Ability to read all repositories, private keys, password hashes, and 2FA secrets).
- **Integrity:** High (Ability to modify any hosted repository's code).
- **Availability:** High (Full server compromise and potential for pivoting to other network systems).
## Remediation
### Patches
- **Status:** No official patch is currently available from the Gogs maintainers.
### Workarounds
- **Disable Public Registration:** Set `DISABLE_REGISTRATION = true` in the configuration to prevent unauthenticated attackers from creating accounts.
- **Restrict Repository Creation:** Set `MAX_CREATION_LIMIT` to a positive integer to limit the ability of new users to create repositories.
- **Disable Rebase Merging:** Globally or per-repository, disable the "Rebase before merging" option in settings to prevent the vulnerable code path from being triggered.
- **Firewall Restrictions:** Limit access to Gogs instances to known, trusted IP addresses via VPN or ACLs.
## Detection
- **Indicators of Compromise:**
- Unusual branch names containing hyphens or command-line flags (e.g., branch names starting with `--exec`).
- Unexpected processes spawned by the user running the Gogs service.
- **Detection Methods:** Monitor Gogs logs for pull request activities involving suspicious branch names and review system process logs (e.g., Auditd, EDR) for anomalous `git` child processes.
## References
- [Rapid7 Blog: Authenticated RCE via Argument Injection in Gogs](https://www.rapid7[.]com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/)
- [Shadowserver Statistics](https://dashboard.shadowserver[.]org/statistics/iot-devices/time-series/?date_range=365&vendor=gogs&dataset=count&limit=100&group_by=geo&stacking=stacked)
- [CWE-88 Definition](https://cwe.mitre[.]org/data/definitions/88[.]html)