CVE-2024-39930
published 2024-07-04CVE-2024-39930: The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can…
PriorityP274critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
7.26%
93.6th percentile
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gogs_gogs | 0 – 0.13.0 | — |
| gogs.io | gogs | >= 0 < 0.13.1 | 0.13.1 |
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs | gogs | <= 0.13.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH environment variable injection: monitor SSH sessions where an environment variable named '--split-string' is set, which is the core exploitation mechanism for CVE-2024-39930. ↗
- →Alert on SSH exec_command calls to 'git-upload-pack' immediately following environment variable injection attempts, as this is the exploit delivery sequence. ↗
- →Detect git rebase commands where the base branch argument begins with '--exec=', indicating argument injection into the rebase call from a malicious branch name. ↗
- →Monitor for branch names containing '--exec=' in Git ref creation events (refs/heads/), as the attacker must push the malicious branch to the repo before triggering the exploit. ↗
- →Look for HTTP 500 responses from the Gogs server following a pull request merge attempt using 'Rebase before merging'; the RCE fires at Step 3 before the 500 is returned at Step 5. ↗
- →Detect use of ${IFS} in Git branch names or rebase arguments as a space-bypass technique used to pass shell commands through Git's branch name restrictions. ↗
- →On Windows targets, watch for a hidden script file (e.g. '.abcdef') committed to a repository combined with a branch name matching '--exec=sh${IFS}.abcdef', indicating the file-based Windows payload delivery method. ↗
- →Rapid7 provides a Metasploit module for this vulnerability; detect automated exploitation attempts by correlating rapid sequential API calls to /api/v1/user/repos (repo creation), /api/v1/user/keys (SSH key addition), and SSH connection from the same source. ↗
- ·The SSH-based attack vector (CVE-2024-39930) only applies when the Gogs built-in SSH server is enabled; Windows installations are unaffected by this specific vector. ↗
- ·The rebase merge attack path requires 'Rebase before merging' (PullsAllowRebase) to be enabled on a repository; however, any repo owner can enable it themselves, so restricting repo creation is the most effective mitigation. ↗
- ·Auditing or disabling rebase merge per-repo is not an effective defense against a malicious repo owner, since they can re-enable the setting at will. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
ghsa·2026-06-23
CVE-2026-52806 [CRITICAL] CWE-77 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge
## Summary
Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command during the "Rebase before merging" merge operation.
## Severity
**Critical** - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
## Affected Versions
- **Gogs 0.14.2** (latest supported release)
- Gogs 0.15.0+dev (commit `b53d3162`, main branch as of 2026-03-16)
- All prior versions that support the "Rebase before merging" merge style
## Impact
This is a **privilege escalation from authenticated user
OSV
Gogs has an argument Injection in the built-in SSH server
osv·2024-12-23·CVSS 9.9
CVE-2024-39930 [CRITICAL] Gogs has an argument Injection in the built-in SSH server
Gogs has an argument Injection in the built-in SSH server
### Impact
When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
### Patches
The `env` command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
[Disable the use of built-in SSH server](https://github.com/gogs/gogs/blob/7adac94f1e93cc5c3545ea31688662dcef9cd737/conf/app
GHSA
Gogs has an argument Injection in the built-in SSH server
ghsa·2024-12-23·CVSS 9.9
CVE-2024-39930 [CRITICAL] CWE-88 Gogs has an argument Injection in the built-in SSH server
Gogs has an argument Injection in the built-in SSH server
### Impact
When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
### Patches
The `env` command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
[Disable the use of built-in SSH server](https://github.com/gogs/gogs/blob/7adac94f1e93cc5c3545ea31688662dcef9cd737/conf/app
OSV
github.com/gogs/gogs affected by CVE-2024-39930
osv·2024-07-09·CVSS 9.9
CVE-2024-39930 [CRITICAL] github.com/gogs/gogs affected by CVE-2024-39930
github.com/gogs/gogs affected by CVE-2024-39930
github.com/gogs/gogs affected by CVE-2024-39930
GHSA
Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
ghsa·2024-07-04·CVSS 9.9
CVE-2024-39930 [CRITICAL] CWE-88 Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
# Original Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
OSV
Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
osv·2024-07-04·CVSS 9.9
CVE-2024-39930 [CRITICAL] Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
# Original Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
No detection rules found.
Bleepingcomputer
Gogs patches critical zero-day enabling remote code execution
blogs_bleepingcomputer·2026-06-08
CVE-2024-39933 Gogs patches critical zero-day enabling remote code execution
## Gogs patches critical zero-day enabling remote code execution
## Sergiu Gatlan
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security resear
Rapid7
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
blogs_rapid7·2026-05-28
CVE-2024-39933 Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
## Overview
Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch.
The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_
Bleepingcomputer
New Gogs zero-day flaw lets hackers get remote code execution
blogs_bleepingcomputer·2026-05-28·CVSS 7.7
CVE-2024-39933 [HIGH] New Gogs zero-day flaw lets hackers get remote code execution
## New Gogs zero-day flaw lets hackers get remote code execution
## Sergiu Gatlan
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers
https://github.com/gogs/gogs/releaseshttps://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/https://www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-39930https://github.com/gogs/gogs/releaseshttps://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/https://www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-39930
2024-07-04
Published