Critical Gogs Vulnerabilities Enable Remote Code Execution and 2FA Bypass
Take action: If you are using self-hosted Gogs, this is important - especially if your Gogs is publicly accessible and free to register. Update to version 0.13.4. If you cannot patch right away, restrict network access to your Git service and ensure only trusted users can register and push code.
Learn More
Gogs, a lightweight self-hosted Git service, reports multiple security vulnerabilities, including a critical remote code execution (RCE) flaw and a two-factor authentication (2FA) bypass. The most severe flaw, tracked as CVE-2025-64111, is caused by an incomplete patch of a previous vulnerability.
Vulnerabilities summary:
- CVE-2025-64111 (CVSS score 9.3) - An OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands on the host server. The flaw exists because the
UpdateRepoFilefunction in the API router fails to enforce security checks, letting users modify the .git/config file through a symlink. By pushing a symlink pointing to the Git configuration and then using a PUT request to update it with a malicioussshCommand, attackers can trigger code execution during subsequent Git operations. - CVE-2025-64175 (CVSS score 7.7) - A two-factor authentication bypass vulnerability that allows attackers to log into any user account if they have the target's username/password. The attacker can use their own recovery codes to satisfy the 2FA requirement for a different user's session. This flaw effectively nullifies the security benefits of multi-factor authentication across the platform.
- CVE-2026-24135 (CVSS score 7.2) - A path traversal vulnerability in the wiki component that enables authenticated users to delete arbitrary files on the server. Attackers can manipulate file paths within wiki requests to target sensitive system or application files outside the intended directory.
The vulnerabilities impact all Gogs versions up to and including 0.13.3. No public exploits are currently reported, but a proof-of-concept (PoC) has been published, increasing the risk of active exploitation. Organizations running self-hosted instances are most vulnerable if their repositories are accessible over public networks or if they allow external users to create accounts and push code.
Administrators should upgrade to Gogs version 0.13.4 or 0.14.0+dev ASAP. As interim measures, organizations should disable public repository access, restrict user registration and monitor API endpoints for suspicious PUT requests targeting the repository contents.
