Critical RCE in Gogs Enables Arbitrary Code Execution

Colleagues, please note: a critical RCE has been discovered in Gogs.
Brief:
- Rapid7: crafting a PR with a malicious branch name injects --exec into git rebase when "Rebase before merging" is used.
- No admin rights required — an attacker can register and create a repo with default settings.
- Impact: server compromise, repository access, credential leakage, and cross-tenant data exposure.
Recommendations:
- Disable user registration and/or restrict repository creation.
- Disable/verify rebase-merge workflows and audit relevant logs.
Why it matters: the flaw affects all deployments and poses a severe infrastructure risk.
What measures will you take?
#cybersecurity #Gogs #RCE #DevSecOps


Latest comments
No comments yet.