Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-39930 — Argument Injection in Gogs

CWE-88 — Argument Injection7 documents4 sources

Severity

9.9CRITICALNVD

EPSS

11.9%

top 6.24%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Gogs.io Gogs Github.com Gogs Gogs Gogs

Timeline

PublishedJul 4

Latest updateJul 2

Description

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

▶Gogogs.io/gogs< 0.13.1

▶NVDgogs/gogs0.13.0

▶Gogithub.com/gogs_gogs0.13.0

🔴Vulnerability Details

OSV

Gogs has an argument Injection in the built-in SSH server↗2024-12-23

▶

GHSA

Gogs has an argument Injection in the built-in SSH server↗2024-12-23

▶

OSV

github.com/gogs/gogs affected by CVE-2024-39930↗2024-07-09

▶

GHSA

Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930↗2024-07-04

▶

OSV

Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930↗2024-07-04

▶

💥Exploits & PoCs

Exploit-DB

gogs 0.13.0 - Remote Code Execution (RCE)↗2025-07-02

▶