Neptunium931

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.13.4 Gogs versions prior to 0.14.0+dev **Description** Gogs is a self-hosted Git service susceptible to a denial-of-service (DOS) attack. An authenticated user can trigger a crash by initiating a mirror synchronization on a repository and then deleting the repository before the synchronization completes. Specifically, the issue occurs when the `GetMirrorByRepoID` function fails, leading to a null pointer dereference. The vulnerable code is located in `internal/database/mirror.go` lines 333-337 and 269-278. A proof-of-concept (PoC) involves repeatedly triggering mirror synchronization via the `/superuser/gobypass403/settings` API endpoint using the `action` parameter set to 'mirror-sync' while simultaneously deleting the repository. **Recommendations** Versions prior to 0.13.4 should be updated to version 0.13.4 or later. Versions prior to 0.14.0+dev should be updated to version 0.14.0+dev or later.