Gogs has released a security update to fix a critical zero-day vulnerability that could allow attackers to compromise internet-facing servers and access any hosted repositories, including private ones.
The flaw is an argument injection vulnerability that has not yet received a CVE ID. It affects all Gogs versions up to and including 0.14.2 and 0.15.0+dev. According to researchers, the bug can be exploited by authenticated attackers without admin privileges.
If successfully exploited, attackers could compromise a targeted Gogs server, read private repositories, steal credentials, move deeper into the victim’s network, and modify hosted source code. This makes the issue especially serious for organizations that use Gogs to host sensitive development projects or internal code.
Rapid7 security researcher Jonah Burgess, who discovered and reported the vulnerability, warned that the issue affects Gogs servers using default settings. Although attackers need a user account to exploit the flaw, Gogs ships with open registration enabled by default and does not limit repository creation. This means an attacker could create an account and a repository on a default-configured instance without needing prior access.
Once the attacker creates a repository, they automatically become its owner. From there, they can enable rebase merging in the repository settings and carry out the exploit chain without needing interaction from another user.
Gogs maintainers released version 0.14.3 on June 7 to patch the vulnerability, 10 days after Rapid7 publicly disclosed the issue due to a lack of response to multiple status updates. The maintainers have also requested a CVE ID for the flaw.
Rapid7 is urging all Gogs users to upgrade immediately. For users who cannot patch right away, the company recommends disabling open registration by setting DISABLE_REGISTRATION to true in the app.ini file. This prevents untrusted users from creating accounts and is considered the most important temporary mitigation.
Administrators can also restrict repository creation by setting MAX_CREATION_LIMIT to 0 in app.ini or by limiting repository creation for users through the admin panel. This can block the easiest attack path, although it does not fully prevent exploitation by users who already have write access to existing repositories.
Rapid7 also advised administrators to review rebase merge settings. However, the company noted that disabling “Rebase before merging” is not a complete defense if a malicious user owns or has admin access to a repository, since they can turn the setting back on.
Gogs is written in Go and is commonly used as a self-hosted alternative to GitHub Enterprise or GitLab. Because it is often exposed online for remote collaboration, vulnerable servers could present a major risk if not updated quickly.
Shadowserver currently tracks more than 2,300 internet-exposed Gogs servers, with most located in Asia and Europe. Shodan also lists just over 1,000 IP addresses with a Gogs fingerprint.
Burgess said the vulnerability is similar to several other argument injection flaws patched by the Gogs security team in recent years, including CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930. However, this latest flaw affects a different code path that had not previously been fixed.
Gogs has faced serious security issues before. Another remote code execution vulnerability, tracked as CVE-2025-8110, was previously exploited in zero-day attacks that compromised hundreds of servers. Security researchers at Wiz said many exposed Gogs instances had open registration enabled by default, creating a large attack surface.
CISA later confirmed that CVE-2025-8110 was being exploited in the wild and added it to its catalog of actively exploited vulnerabilities. The agency ordered U.S. federal civilian agencies to secure affected servers within three weeks, warning that this type of vulnerability is a common attack vector and poses serious risks to federal networks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
