cbcvebase.
CVE-2024-55947
published 2024-12-23

CVE-2024-55947: Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.20%
99.4th percentile
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
gogs.iogogs>= 0 < 0.13.10.13.1
gogs.iogogs0 – 0.13.3
gogsgogs< 0.13.10.13.1

Detection & IOCsextracted from sources · hover to see the quote

hashd8fcd57a71f9f6e55b063939dc7c1523660b7383
hashefda81e1100ea977321d0f2eeb0dfa7a6b132abd
ip119.45.176.196
ip106.53.108.81
ip119.91.42.53
path.git/config
  • Look for repositories with random 8-character names created during the attack windows (July 10, 2025 and November 1, 2025) as a sign of compromise.
  • Monitor for suspicious or unexpected use of the PutContents API, especially writes that resolve through symbolic links to paths outside the repository.
  • Detect Gogs version fingerprinting via the login page body string 'Sign In - Gogs: Go Git Service' combined with version extraction from 'Gogs Version:' to identify vulnerable instances (<= 0.13.3).
  • The deployed malware is UPX-packed, written in Go, and compiled with the garble tool (randomized class names, encrypted string literals). Use the Supershell C2 framework's reverse SSH-over-web-services behavior as a behavioral detection signal.
  • Detect overwrite of .git/config sshCommand field as an indicator of post-exploitation persistence/RCE setup.
  • Use Shodan query 'http.title:"Sign In - Gogs"' to identify exposed Gogs instances for proactive assessment.
  • ·CVE-2024-55947 is the original path traversal RCE in the PutContents API; the fix added path validation but did not account for symbolic links, which is the root cause of the bypass (CVE-2025-8110). Detection and patching must address both.
  • ·Open Registration is enabled by default in Gogs, meaning any unauthenticated internet user can register and then exploit this vulnerability without any prior account.
  • ·A sophisticated attacker could mark exploit repositories as private or delete them immediately after exploitation, making the 8-character repo name artifact unreliable as a sole indicator.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.