Critical Gogs Vulnerability Enables Silent Supply-Chain Attacks via LFS Overwrites

Gogs, an open-source self-hosted Git service, patched a critical security vulnerability in its Git Large File Storage (LFS) implementation. 

The flaw is tracked as CVE-2026-25921 (CVSS score 9.3) - An insufficient verification of data authenticity flaw (CWE-345) in the Git LFS handling mechanism. Gogs stores all LFS objects in a single global directory tree without repository isolation, using only the Object ID (OID) as a reference. Attackers can exploit this by uploading a malicious file to their own repository using the OID of a target file in another repository, while the system fails to verify if the uploaded content matches the claimed SHA-256 hash.

The research notes that the platform's storage logic in internal/lfsutil/storage.go incorrectly assumed that OIDs were unique and trusted client-side retries to overwrite files without performing server-side integrity checks.

Organizations using Gogs to host binaries, datasets, or installer packages are most impacted. An attacker can inject backdoors into software assets that users then download, believing them to be legitimate. Because the Gogs web interface does not provide warnings when an LFS object is changed, these replacements remain stealthy. 

This security issue affects all Gogs instances running version 0.14.1 and earlier. 

Organizations must upgrade to Gogs version 0.14.2 ASAP. The new version enforces strict SHA-256 hash verification for all uploaded LFS objects and improves storage isolation. Administrators should also audit their existing LFS objects to ensure no unauthorized overwrites occurred before the patch was applied. If an immediate update is not possible, administrators should disable public registrations and restrict network access to the Gogs instance.