VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

Critical RCE in Gogs Enables Arbitrary Code Execution

Критическая RCE в Gogs позволяет выполнить произвольный код

Colleagues, please note: a critical RCE has been discovered in Gogs.

Brief:
- Rapid7: crafting a PR with a malicious branch name injects --exec into git rebase when "Rebase before merging" is used.
- No admin rights required — an attacker can register and create a repo with default settings.
- Impact: server compromise, repository access, credential leakage, and cross-tenant data exposure.

Recommendations:
- Disable user registration and/or restrict repository creation.
- Disable/verify rebase-merge workflows and audit relevant logs.

Why it matters: the flaw affects all deployments and poses a severe infrastructure risk.

What measures will you take?

#cybersecurity #Gogs #RCE #DevSecOps

Latest comments

No comments yet.