CVE-2024-56731Files or Directories Accessible to External Parties in Gogs

CWE-552Files or Directories Accessible to External Parties8 documents4 sources
Severity
9.8CRITICALNVD
NVD9.3GHSA9.9OSV9.9
EPSS
2.6%
top 14.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GogsGogs.io Gogs
Timeline
PublishedJun 24
Latest updateDec 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5gogs/gogs< 0.14.0+dev+1
NVDgogs/gogs< 0.13.3+1
Gogogs.io/gogs< 0.13.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs2025-07-28
OSV
Gogs allows deletion of internal files which leads to remote command execution2025-06-24
GHSA
Gogs allows deletion of internal files which leads to remote command execution2025-06-24

🕵️Threat Intelligence

3
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog2025-12-10
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog2025-12-10
Wiz
CVE-2025-64111 Impact, Exploitability, and Mitigation Steps | Wiz