How does the CVE-2024-56731 vulnerability work?

The vulnerability exploits a symbolic link bypass in the previously patched CVE-2024-39931 flaw. While a security check was added to prevent uploading files into the '.git' directory, there are no checks for symbolic links in later steps, allowing attackers to create symbolic links that point to the .git directory and still delete arbitrary files.

What can attackers accomplish by exploiting CVE-2024-56731?

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with administrative privileges, access and alter any users' code hosted on the same instance, steal intellectual property, inject malicious code into legitimate repositories, destroy version control history, deploy backdoors in software projects, and perform lateral movement to connected development infrastructure.

Which versions of Gogs are affected by CVE-2024-56731?

The vulnerability affects all Gogs installations running version 0.13.2 and earlier. Organizations using these versions should prioritize upgrading to the patched version immediately.

How many Gogs instances are potentially exposed?

A quick Shodan search lists around 7,500 open Gogs instances visible on the internet, indicating a significant number of potentially vulnerable installations that could be targeted by attackers.

What should organizations do if they can't immediately patch?

Organizations unable to immediately upgrade should configure the Gogs app.ini file to turn off user registration to limit access to trusted users, implement external scanning to detect malicious file content or operations on the .git directory, and restrict system access based on business requirements.

Does this vulnerability require special privileges to exploit?

The vulnerability requires authenticated access but can be exploited by unprivileged user accounts. This means any user with basic access to the Gogs instance could potentially escalate to administrative privileges and compromise the entire system.

Why is this Gogs vulnerability particularly dangerous for development organizations?

This vulnerability is particularly dangerous because it targets the heart of software development infrastructure - source code repositories. With a perfect CVSS score of 10.0, it allows attackers to compromise the integrity of source code, steal intellectual property, inject backdoors into software projects, and potentially launch supply chain attacks. The fact that around 7,500 instances are visible on the internet and the vulnerability can be exploited by any authenticated user makes this a critical threat to development organizations worldwide. Code repositories are high-value targets containing not just proprietary code but often deployment credentials, API keys, and other sensitive information that could enable broader network compromise.

Advisory

Critical Gogs flaw enables complete code repository takeover

Q: What is CVE-2024-56731?

CVE-2024-56731 (CVSS score 10.0) is a critical vulnerability in the Gogs self-hosted Git service that allows authenticated attackers to execute arbitrary commands and gain complete control over code repositories through a symbolic link bypass in a previously patched security flaw.

Q: Is a patch available for CVE-2024-56731?

Yes, Gogs has released version v0.13.3 to fix this vulnerability. Organizations using affected versions are strongly encouraged to patch their systems immediately given the critical nature and perfect CVSS score.

published: June 26, 2025

Take action: If you use Gogs self-hosted Git service, plan a quick upgrade to version 0.13.3. Your Gogs is vulnerable to a flaw that allows complete system takeover. If posible, isolate Gogs from the internet and if you can't upgrade right away, disable user registration in your Gogs configuration to prevent attackers from registering and exploiting this flaw. Then plan a patch cycle.

Learn More

Security researchers are reporting a critical vulnerability in the Gogs self-hosted Git service that allows authenticated attackers to execute arbitrary commands and gain complete control over code repositories through an insufficient security patch.

Gogs (Go Git Service) is a self-hosted Git service developed in the Go programming language that is designed to build simple, stable, and scalable code hosting platforms.

The vulnerability is tracked as CVE-2024-56731 (CVSS score 10.0), and exploits a symbolic link bypass in the previously patched CVE-2024-39931 flaw, enabling unprivileged users to delete critical system files and achieve remote command execution with administrative privileges.

In the patch for CVE-2024-39931, a security check was added to prevent uploading files into the ".git" directory, but there are no checks for symbolic links in the later steps, allowing attackers to create symbolic links that point to the .git directory and still delete arbitrary files.

The symbolic link bypass technique works because the Gogs application validates the target path during the initial security check but fails to resolve and validate symbolic links during the actual file operations.

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration, allowing attackers to access and alter any users' code hosted on the same instance. This can cause intellectual property theft, malicious code injection into legitimate repositories, destruction of version control history, deployment of backdoors in software projects, and lateral movement to connected development infrastructure.

Since code repositories often contain sensitive information including deployment credentials, API keys, and proprietary algorithms, successful exploitation could enable supply chain attacks affecting downstream consumers of the hosted code.

The vulnerability affects all Gogs installations running version 0.13.2 and earlier.

Gogs has released version v0.13.3 to fix this vulnerability. Organizations using affected versions are strongly encouraged to patch their systems.

A quick Shodan search lists around 7,500 open Gogs instances visible on the internet.

Organizations unable to immediately upgrade to the patched version, should sett the Gogs configuration file app.ini to turn off the user registration function so access is limited to trusted group of people; external scanning of code and files to detect malicious file content or malicious operations on the .git directory, and restricting access to the system based on actual business conditions.

Critical Gogs flaw enables complete code repository takeover

Read More
Critical Remote Code Execution Vulnerability Reported in Python …
PHP releases versions 8.1.30, 8.3.12 and 8.2.24, fixes …
Ivanti patches another round of critical flaws in …
Critical MS Exchange Server vulnerability actively attacked, one …
GitHub reports critical vulnerability in its Enterprise Server