CVE-2025-64175

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions 0.14.0+dev and earlier

Description Gogs, an open-source self-hosted Git service, has an issue where the 2FA recovery code validation does not limit codes by user. This allows for cross-account bypass, meaning an attacker with a victim’s username and password can use any unused recovery code (even one from their own account) to bypass the victim’s Two-Factor Authentication. Successful exploitation leads to full account takeover, rendering 2FA ineffective. The root cause is a flaw in the UseRecoveryCode function within internal/database/two factor.go, which performs a global lookup for unused codes instead of verifying ownership by the user attempting to log in. The vulnerable code snippet performs a database query without a user ID constraint. A proof-of-concept demonstrates an attacker using their own recovery code to log in as another user.

Recommendations Update to Gogs version 0.13.4 or later. Update to Gogs version 0.14.0+dev or later.