CVE-2026-25921

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description Gogs, a self-hosted Git service, has a flaw where Large File Storage (LFS) objects can be maliciously overwritten across different repositories. This is due to a lack of isolation in how LFS objects are stored, with repository IDs not being concatenated to the storage path. Additionally, Gogs does not verify the SHA-256 hash of uploaded LFS files, allowing attackers to inject malicious content. An attacker can exploit this by uploading a manipulated LFS object to their repository, which then overwrites the LFS object in another user's repository. This could lead to a supply-chain attack, as users downloading LFS objects from the webpage receive no warning about the altered content. The API endpoint '/api/v1/repos/{owner}/{repo}/lfs/objects' is involved in the upload process, and the oid variable identifies the LFS object. The upload function is used to handle the upload process.

Recommendations Versions prior to 0.14.2 should be updated to version 0.14.2 or later to address this issue.