Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-55947 — Path Traversal in Gogs

CWE-22 — Path Traversal12 documents6 sources

Severity

8.7HIGHNVD

EPSS

80.1%

top 0.89%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedDec 23

Latest updateJan 12

Description

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.13.1

▶Gogogs.io/gogs< 0.13.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs↗2025-12-15

▶

GHSA

Gogs vulnerable to a bypass of CVE-2024-55947↗2025-12-10

▶

OSV

Gogs vulnerable to a bypass of CVE-2024-55947↗2025-12-10

▶

OSV

Path Traversal in file update API in gogs in gogs.io/gogs↗2025-01-07

▶

GHSA

Path Traversal in file update API in gogs↗2024-12-23

▶

💥Exploits & PoCs

Nuclei

Gogs <= 0.13.3 - Remote Code Execution

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks↗2026-01-12

▶

Bleepingcomputer

Hackers exploit unpatched Gogs zero-day to breach 700 servers↗2025-12-11

▶

Wiz

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog↗2025-12-10

▶

Wiz

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog↗2025-12-10

▶