PT-2026-6863 · Go · Gogs.Io/Gogs

Published

2026-02-06

·

Updated

2026-02-06

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Vulnerability Description

In the endpoint:
/username/reponame/settings/hooks/git/:name
the :name parameter:
  • Is URL-decoded by macaron routing, allowing decoded slashes (/)
  • Is then passed directly to:
go
git.Repository.Hook("custom hooks", name)
which internally resolves the path as:
go
filepath.Join(repoPath, "custom hooks", name)
Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.

As a Result:

  • GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).
  • POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).

Attack Prerequisites

  • The attacker is an authenticated user
  • The attacker has Admin or higher privileges on the target repository
  • The attacker has the AllowGitHook permission (or is a site administrator)
  • The target file is readable/writable by the Gogs process OS permissions

Attack Scenario

  1. An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL
  2. A path containing ../ is supplied in :name, fully URL-encoded using %2f
  3. The server resolves custom hooks/../../... without validation
  4. Arbitrary file contents are displayed and existing files can be overwritten

Potential Impact

  • Sensitive information disclosure: app.ini, databases, logs, environment variables, etc.
  • Configuration or data tampering: Overwriting existing files
  • Secondary impact: Extraction of SECRET KEY and database credentials may allow token forging or further compromise

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-MRPH-W4HH-GX3G

Affected Products

Gogs.Io/Gogs