cbcvebase.
CVE-2024-56731
published 2025-06-24

CVE-2024-56731: Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.8th percentile
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
gogs.iogogs>= 0 < 0.13.30.13.3
gogsgogs< 0.14.0+dev0.14.0+dev
gogsgogs< 0.13.40.13.4
gogsgogs< 0.13.30.13.3
gogsgogs< 0.13.40.13.4

Detection & IOCsextracted from sources · hover to see the quote

path.git/config
  • Look for creation of repositories with random 8-character names, which is a strong indicator of automated exploitation activity against Gogs instances.
  • Monitor for unexpected usage of the PutContents API on Gogs instances, especially writes that resolve through symbolic links to paths outside the repository.
  • Detect UPX-packed Go binaries compiled with the garble tool (randomized class names, encrypted string literals) dropped on Gogs host systems as indicators of post-exploitation Supershell C2 payload.
  • Identify Supershell C2 framework activity: reverse SSH shell communicating over web services originating from compromised Gogs hosts.
  • Flag modifications to .git/config sshCommand field on Gogs-managed repositories as a sign of RCE setup via symlink abuse.
  • ·Gogs instances with 'Open Registration' enabled (the default) are directly exploitable by any unauthenticated user who registers an account, dramatically widening the attack surface.
  • ·The RUN_USER configuration value in Gogs determines the OS privilege level under which arbitrary commands execute when this CVE is exploited; high-privilege RUN_USER settings increase blast radius.
  • ·Gogs versions <= 0.13.3 are vulnerable; the fix for CVE-2024-39931 was insufficient, and the symlink-based bypass (CVE-2024-56731 / CVE-2025-8110) remained exploitable until v0.13.4.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.