CVE-2024-54148 — Path Traversal in Gogs

CWE-22 — Path Traversal CWE-61 — UNIX Symbolic Link (Symlink) Following6 documents4 sources

Severity

8.7HIGHNVD

EPSS

0.5%

top 35.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedDec 23

Latest updateDec 10

Description

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.13.1

▶Gogogs.io/gogs< 0.13.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Remote Command Execution in file editing in gogs in gogs.io/gogs↗2025-01-07

▶

OSV

Remote Command Execution in file editing in gogs↗2024-12-23

▶

GHSA

Remote Command Execution in file editing in gogs↗2024-12-23

▶

🕵️Threat Intelligence

Wiz

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog↗2025-12-10

▶

Wiz

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog↗2025-12-10

▶