A security researcher has uncovered multiple critical vulnerabilities in the Forgejo Git hosting platform, including SSRF, authentication bypasses, and RCE chains, leading to an unconventional disclosure strategy that puts pressure on maintainers to address systemic security issues.
When Fedora migrated from Pagure to Forgejo, security researcher jvoisin saw an opportunity to conduct a thorough security audit of the self-hosted Git platform. What they discovered was concerning: a codebase riddled with security vulnerabilities that could be chained together to achieve full system compromise.
The audit revealed numerous issues across different categories: Server-Side Request Forgery (SSRF) vulnerabilities in multiple locations, missing Content Security Policy (CSP) and Trusted Types protections, poor JavaScript templating practices, cryptographic implementation flaws, and weaknesses in authentication mechanisms including OAuth2, OTP handling, session management, and post-compromise recovery processes.
"All in all, it took me one evening after work to find a good amount of vulnerabilities," jvoisin wrote, "and chain them to obtain a full-blown RCE, some secrets leaks, a bunch of persistent account access, a handful of OAuth2 privesc."
The researcher noted that the Remote Code Execution (RCE) chain requires open registration and a non-default configuration option, limiting its immediate exploitability. However, the combination of vulnerabilities presents a significant risk to Forgejo installations, particularly those with relaxed security settings.
Rather than following traditional vulnerability disclosure channels, jvoisin has proposed a "carrot disclosure" approach. This unconventional method involves publishing only proof-of-concept output for critical vulnerabilities without full technical details, creating pressure on vendors to perform comprehensive security audits.
"The main idea is to only publish the (redacted) output of the exploit for a critical vulnerability, to showcase that the software is exploitable," the researcher explained. "Now the vendor has two choices: either perform a holistic audit of its software, fixing as many issues as possible in the hope of fixing the showcased vulnerability; or losing users who might not be happy running a known-vulnerable software."
The proof-of-concept shared demonstrates command execution on a target system, with output showing successful execution of system commands through a Git push operation. The researcher has also shared file hashes for their exploit scripts, adding credibility to their claims.
Forgejo, which emerged as a fork of Gitea, has been positioning itself as a lightweight, self-hosted Git solution. The security issues discovered raise questions about the project's development practices and security review processes. While many open-source projects struggle with limited resources for security audits, the extent of vulnerabilities found suggests systemic issues that require attention.
The "carrot disclosure" approach represents an interesting evolution in security reporting, particularly for projects where traditional disclosure methods have failed to prompt meaningful security improvements. By demonstrating exploitability without providing detailed instructions, this method creates incentive for vendors to address underlying security issues rather than patching only the most critical vulnerabilities.
Users of Forgejo should be aware of these potential security risks and consider implementing additional security controls while the project addresses these issues. The situation also highlights the importance of security reviews when selecting self-hosted software solutions, particularly for code hosting platforms that handle sensitive development work.
For more information about Forgejo, visit their official website. Those interested in learning more about security best practices for Git platforms can explore resources from organizations like the Open Source Security Foundation.
Comments
Please log in or register to join the discussion