Summary

Gogs is reported to have a critical unpatched authenticated RCE vulnerability (CVSS 9.4) that allows users to execute arbitrary code via malicious branch names during rebase operations. The flaw enables full server compromise, data theft, and supply chain attacks on Linux, Windows, and macOS deployments.

Take Action:

If you're running Gogs, disable open user registration (DISABLE_REGISTRATION = true) and block repository creation (MAX_CREATION_LIMIT = 0) in your app.ini config file, since no patch is available. Audit server logs for --exec related errors and unexpected API tokens with the msf_ prefix, and consider isolating Gogs behind a VPN or internal network until a fix is released.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines