CVE-2024-56731
published 2025-06-24CVE-2024-56731: Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.8th percentile
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.13.3 | 0.13.3 |
| gogs | gogs | < 0.14.0+dev | 0.14.0+dev |
| gogs | gogs | < 0.13.4 | 0.13.4 |
| gogs | gogs | < 0.13.3 | 0.13.3 |
| gogs | gogs | < 0.13.4 | 0.13.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for creation of repositories with random 8-character names, which is a strong indicator of automated exploitation activity against Gogs instances. ↗
- →Monitor for unexpected usage of the PutContents API on Gogs instances, especially writes that resolve through symbolic links to paths outside the repository. ↗
- →Detect UPX-packed Go binaries compiled with the garble tool (randomized class names, encrypted string literals) dropped on Gogs host systems as indicators of post-exploitation Supershell C2 payload. ↗
- →Identify Supershell C2 framework activity: reverse SSH shell communicating over web services originating from compromised Gogs hosts. ↗
- →Flag modifications to .git/config sshCommand field on Gogs-managed repositories as a sign of RCE setup via symlink abuse. ↗
- ·Gogs instances with 'Open Registration' enabled (the default) are directly exploitable by any unauthenticated user who registers an account, dramatically widening the attack surface. ↗
- ·The RUN_USER configuration value in Gogs determines the OS privilege level under which arbitrary commands execute when this CVE is exploited; high-privilege RUN_USER settings increase blast radius. ↗
- ·Gogs versions <= 0.13.3 are vulnerable; the fix for CVE-2024-39931 was insufficient, and the symlink-based bypass (CVE-2024-56731 / CVE-2025-8110) remained exploitable until v0.13.4. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs
osv·2025-07-28
CVE-2024-56731 Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs
Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs
Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs
OSV
Gogs allows deletion of internal files which leads to remote command execution
osv·2025-06-24·CVSS 9.9
CVE-2024-56731 [CRITICAL] Gogs allows deletion of internal files which leads to remote command execution
Gogs allows deletion of internal files which leads to remote command execution
### Summary
Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution.
### Details
In the patch for CVE-2024-39931, the following check is added:
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9
```diff
+ // 🚨 SECURITY: Prevent uploading files into the ".git" directory
+ if isRepositoryGitPath(opts.TreePath) {
+ return errors.Errorf("bad tree path %q", opts.TreePath)
+ }
```
While the above code snippet checks if the specified path is a `.git` directory, there are no checks for symbolic links in the later steps. So, by creating a symbolic link that points to the `.git` directory, an at
GHSA
Gogs allows deletion of internal files which leads to remote command execution
ghsa·2025-06-24·CVSS 9.9
CVE-2024-56731 [CRITICAL] CWE-552 Gogs allows deletion of internal files which leads to remote command execution
Gogs allows deletion of internal files which leads to remote command execution
### Summary
Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution.
### Details
In the patch for CVE-2024-39931, the following check is added:
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9
```diff
+ // 🚨 SECURITY: Prevent uploading files into the ".git" directory
+ if isRepositoryGitPath(opts.TreePath) {
+ return errors.Errorf("bad tree path %q", opts.TreePath)
+ }
```
While the above code snippet checks if the specified path is a `.git` directory, there are no checks for symbolic links in the later steps. So, by creating a symbolic link that points to the `.git` directory, an at
No detection rules found.
No public exploits indexed.
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
# Executive Summary
- While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
- A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
- We identified over 700 compromised instances public-facing on the internet.
- Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
# Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live z
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
## Executive Summary
While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
We identified over 700 compromised instances public-facing on the internet.
Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
## Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero
Wiz
CVE-2025-64111 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-64111 [CRITICAL] CVE-2025-64111 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64111 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 9.3
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 44.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gogs.io/gogs
gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Se
2025-06-24
Published