CVE-2024-39931
published 2024-07-04CVE-2024-39931: Gogs through 0.13.0 allows deletion of internal files.
PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
50.70%
98.8th percentile
Gogs through 0.13.0 allows deletion of internal files.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gogs_gogs | 0 – 0.13.0 | — |
| gogs.io | gogs | >= 0 < 0.13.1 | 0.13.1 |
| gogs.io | gogs | >= 0 < 0.13.3 | 0.13.3 |
| gogs | gogs | < 0.14.0+dev | 0.14.0+dev |
| gogs | gogs | < 0.13.4 | 0.13.4 |
| gogs | gogs | < 0.13.3 | 0.13.3 |
| gogs | gogs | < 0.13.3 | 0.13.3 |
| gogs | gogs | <= 0.13.0 | — |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs allows deletion of internal files which leads to remote command execution
osv·2025-06-24·CVSS 9.9
CVE-2024-56731 [CRITICAL] Gogs allows deletion of internal files which leads to remote command execution
Gogs allows deletion of internal files which leads to remote command execution
### Summary
Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution.
### Details
In the patch for CVE-2024-39931, the following check is added:
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9
```diff
+ // 🚨 SECURITY: Prevent uploading files into the ".git" directory
+ if isRepositoryGitPath(opts.TreePath) {
+ return errors.Errorf("bad tree path %q", opts.TreePath)
+ }
```
While the above code snippet checks if the specified path is a `.git` directory, there are no checks for symbolic links in the later steps. So, by creating a symbolic link that points to the `.git` directory, an at
GHSA
Gogs allows deletion of internal files which leads to remote command execution
ghsa·2025-06-24·CVSS 9.9
CVE-2024-56731 [CRITICAL] CWE-552 Gogs allows deletion of internal files which leads to remote command execution
Gogs allows deletion of internal files which leads to remote command execution
### Summary
Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution.
### Details
In the patch for CVE-2024-39931, the following check is added:
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9
```diff
+ // 🚨 SECURITY: Prevent uploading files into the ".git" directory
+ if isRepositoryGitPath(opts.TreePath) {
+ return errors.Errorf("bad tree path %q", opts.TreePath)
+ }
```
While the above code snippet checks if the specified path is a `.git` directory, there are no checks for symbolic links in the later steps. So, by creating a symbolic link that points to the `.git` directory, an at
OSV
Gogs allows deletion of internal files
osv·2024-12-23·CVSS 9.9
CVE-2024-39931 [CRITICAL] Gogs allows deletion of internal files
Gogs allows deletion of internal files
### Impact
Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
### Patches
Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-2024-39931
GHSA
Gogs allows deletion of internal files
ghsa·2024-12-23·CVSS 9.9
CVE-2024-39931 [CRITICAL] CWE-552 Gogs allows deletion of internal files
Gogs allows deletion of internal files
### Impact
Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
### Patches
Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-2024-39931
OSV
Gogs allows deletion of internal files in github.com/gogs/gogs
osv·2024-07-09
CVE-2024-39931 Gogs allows deletion of internal files in github.com/gogs/gogs
Gogs allows deletion of internal files in github.com/gogs/gogs
Gogs allows deletion of internal files in github.com/gogs/gogs
OSV
Duplicate Advisory: Gogs allows deletion of internal files
osv·2024-07-04
CVE-2024-39931 [CRITICAL] Duplicate Advisory: Gogs allows deletion of internal files
Duplicate Advisory: Gogs allows deletion of internal files
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-ccqv-43vm-4f3w. This link is maintained to preserve external references.
# Original Description
Gogs through 0.13.0 allows deletion of internal files.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-04
Published