Security researchers have identified a critical zero-day vulnerability in Gogs, the self-hosted Git service, that could allow attackers to achieve remote code execution (RCE) on internet-facing servers. The flaw remains unpatched and has not yet been assigned a CVE identifier.
The vulnerability affects the latest Gogs versions, including 0.14.2 and 0.15.0+dev. Although exploitation requires authentication, researchers warn that default Gogs configurations make attacks relatively easy because user registration is enabled by default and repository creation is unrestricted.
According to the findings, an attacker can create an account, generate a repository, and gain repository ownership without requiring administrator privileges. By enabling the “Rebase before merging” option and using a specially crafted branch name, attackers can inject malicious commands during the Git rebase process and execute arbitrary code on the server.
Successful exploitation could allow threat actors to compromise the host system, access all repositories on the platform, including private repositories, extract credentials such as password hashes, API tokens, SSH keys, and 2FA secrets, move laterally to other connected systems, and alter hosted source code.
The flaw was discovered by Rapid7 Senior Security Researcher Jonah Burgess, who reported the issue to Gogs maintainers on March 17. While the report was acknowledged on March 28, no security patch or further update has been released.
Researchers noted that the issue is similar to several previous argument injection vulnerabilities addressed by Gogs in recent years, including CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930. However, this newly discovered vulnerability impacts a separate code path that had not previously been secured.
Internet monitoring data indicates a significant potential attack surface. Shadowserver currently tracks more than 2,400 internet-exposed Gogs servers, with the majority located in Asia and Europe. Separate scans have identified more than 1,000 publicly accessible instances.
The discovery follows another major Gogs security incident involving CVE-2025-8110, a remote code execution vulnerability that was actively exploited in attacks against hundreds of servers. That flaw was later added to the U.S. Cybersecurity and Infrastructure Security Agency’s catalog of exploited vulnerabilities, highlighting the ongoing security risks facing publicly exposed Gogs deployments.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.