A serious security zero-day vulnerability that may give hackers privilege and access to any repository (including private ones) and compromise Internet-facing instances has been fixed by Gogs.
This is to address a zero-day argument injection vulnerability that enables authenticated users to accomplish Remote Code Execution (RCE) and completely compromise susceptible servers, Gogs has released crucial security fixes.
All Gogs releases up to and including 0.14.2 and 0.15.0+dev are affected by this argument injection vulnerability, which has not yet been given a CVE ID and can only be allowed to be used by authenticated attackers without admin rights.
Jonah Burgess, a security researcher at Rapid7, found the vulnerability, which has a CVSSv4 score of 9.4 and affects the default configurations of the widely used self-hosted Git service.
By taking advantage of this vulnerability, they have an opportunity to gain access to the targeted server, read any repository, including private repositories, steal passwords, travel laterally to other networked computers, and change any stored source code.
This weakness had affected all Gogs servers with default setups, according to Rapid7 security researcher Jonah Burgess, who found and reported it, even though threat actors would require at least basic user privileges to exploit it.
Around two weeks ago, there was a warning issued by Burgess that stated that an unauthenticated attacker can simply create an account and repository on any default-configured instance because Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1). It went further to say that any registered user who creates a repository is automatically its owner. After that, all it takes is a single settings toggle to enable rebase merging, and the entire exploit chain may be managed without the involvement of any other user.
The Gogs maintainers issued version 0.14.3 yesterday to fix this vulnerability and requested a CVE ID over the weekend, ten days after the cybersecurity company publicly revealed it due to a lack of response to several status updates.
Based on Rapid7, all Gogs users should upgrade right away, according to Rapid7. Burgess had said that Pull request #8301 was used to implement the patch.
For users who are unable to fix their Gogs instances right now, Rapid7 provides preventive strategies that call for them to:
Limit user registration by setting DISABLE_REGISTRATION = true in app.ini to stop unauthorized users from registering. Given that the exploit is self-contained within the repository of a single user, this prevention means it has the most impact.
Limit repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to stop users from making their own repositories. Through the admin panel’s Max Repo Creation feature, this can also be customized per single user. This prevents people with write access to existing repositories from exploiting it, but it does stop the simplest attack path by creating a new repository with rebase enabled.
Audit rebase merge settings: Although “Rebase before merging” can be turned off per repo under Settings > Advanced, users should keep in mind that a malicious user who owns or has admin access to a repository can re-enable rebase at any time, and this is not a reliable safeguard.
Gogs, a Go program created as a substitute for GitHub Enterprise or GitLab, is frequently used online as a platform for remote collaboration.
Burgess added that although the weakness affects a different code path (Merge()), it is remarkably similar to other argument-injection flaws that the Gogs security team has corrected in recent years (such as CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930).
Another RCE vulnerability (CVE-2025-8110) was patched by Gogs in early December 2026 after it was used in zero-day attacks to compromise hundreds of servers. “Many of these instances are configured with ‘Open Registration’ enabled by default, creating a massive attack surface,” according to Wiz security researchers who reported the flaw.
CISA added CVE-2025-8110 to its list of regularly exploited vulnerabilities on January 12 after confirming that it was being misused in the wild. Federal Civilian Executive Branch (FCEB) entities were then instructed to secure their servers within three weeks, by February 2.
CISA, at a time, warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
For urgent remediation steps, for anyone operating an internet-facing or internal Gogs instance, take the following defensive actions immediately:
Update Immediately: Apply the latest security patches from the Gogs development team to secure your Merge() code paths.
Disable Open Registration: If you cannot update right away, modify your configuration file to block unknown users from creating accounts.
Restrict Repo Creation: Enforce strict limits so that only authorized administrators or vetted accounts can create new repositories.
Remove Internet Exposure: Place your Git infrastructure behind a secure VPN or internal network instead of exposing it directly via public IP addresses.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
