CVE-2025-64111

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions 0.14.0+dev

Description Gogs, a self-hosted Git service, is affected by a critical remote code execution (RCE) issue. This issue allows attackers to rewrite the .git/config file via an API, potentially injecting malicious Git configurations like sshCommand. Exploitation involves abusing a symlink and repository contents API to overwrite the .git/config file, leading to remote command execution during Git operations. The issue stems from an insufficient patch for a previously identified security advisory. The UpdateRepoFile function has a security check that is bypassed when called through the API router, allowing updates to the .git/config file. A proof-of-concept demonstrates the creation of a symlink, pushing it to the repository, and then updating the file via the API to inject malicious configuration.

Recommendations Upgrade to Gogs version 0.13.4 or later. Upgrade to Gogs version 0.14.0+dev or later.