CVE-2025-64175
published 2026-02-06CVE-2025-64175: Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.42%
34.0th percentile
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0.11.19 < 0.13.4 | 0.13.4 |
| gogs.io | gogs | >= 0.11.19 | — |
| gogs | gogs | < 0.14.0+dev | 0.14.0+dev |
| gogs | gogs | < 0.13.4 | 0.13.4 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs
osv·2026-02-17
CVE-2025-64175 Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs
Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs
Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.13.4.
GHSA
Gogs Vulnerable to 2FA Bypass via Recovery Code
ghsa·2026-02-06
CVE-2025-64175 [HIGH] CWE-287 Gogs Vulnerable to 2FA Bypass via Recovery Code
Gogs Vulnerable to 2FA Bypass via Recovery Code
Contact OpenAI Security Research at [email protected] to engage on this report.
See PDF report for easier reading.
Security Advisory: 2FA Bypass via Recovery Code
Vulnerability Type: 2FA Authentication Bypass
Affected Software: GOGS
Severity: High
Date: Aug 5, 2025
Discoverer: OpenAI Security Research
Summary
Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use
[Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf](https://github.com/user-attachments/files/21643266/Security.Advisory_.2FA.Bypass.via.Recovery.Code.-.Google.Docs.pdf)
any unused recovery code (e.g., from their own account) to bypass the victim
OSV
Gogs Vulnerable to 2FA Bypass via Recovery Code
osv·2026-02-06
CVE-2025-64175 [HIGH] Gogs Vulnerable to 2FA Bypass via Recovery Code
Gogs Vulnerable to 2FA Bypass via Recovery Code
Contact OpenAI Security Research at [email protected] to engage on this report.
See PDF report for easier reading.
Security Advisory: 2FA Bypass via Recovery Code
Vulnerability Type: 2FA Authentication Bypass
Affected Software: GOGS
Severity: High
Date: Aug 5, 2025
Discoverer: OpenAI Security Research
Summary
Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use
[Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf](https://github.com/user-attachments/files/21643266/Security.Advisory_.2FA.Bypass.via.Recovery.Code.-.Google.Docs.pdf)
any unused recovery code (e.g., from their own account) to bypass the victim
No detection rules found.
No public exploits indexed.
2026-02-06
Published