Gogs zero-day – A zero-day vulnerability in the self-hosted Gogs Git service can let attackers achieve remote code execution on Internet-facing instances, even when the flaw requires only basic user privileges. Security researchers say default settings make exploitation far e
For many teams, Gogs is the quiet engine behind remote code collaboration—installed, configured, and left to run. But right now, that quiet has a sharp edge.
An unpatched zero-day vulnerability in Gogs can allow attackers to execute remote code on Internet-facing instances. The flaw targets Gogs’ self-hosted Git service, which was built in Go as an alternative to GitHub Enterprise or GitLab, and is frequently exposed directly to the internet.
The severity is critical. The issue is an argument injection security flaw, and it has not yet been assigned a CVE ID. It affects the latest release versions, including Gogs 0.14.2 and Gogs 0.15.0+dev. Exploitation is possible only by authenticated attackers—specifically, attackers who do not have admin privileges.
That still leaves a terrifying practical problem: researchers say default configurations make the path to a working attack short.
Jonah Burges. a Rapid7 senior security researcher who discovered the flaw. warned that the vulnerability affects all Gogs servers with default configurations. The reason is built into how many instances start out: Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and with no limit on repository creation (MAX_CREATION_LIMIT = -1). With those defaults, Burges said, an unauthenticated attacker can create an account and a repository on any default-configured instance.
Once registered, the process becomes even more direct. Burges noted that any registered user who creates a repository is automatically treated as the repository owner. From there. enabling rebase merging becomes “a single toggle in settings. ” and the exploit chain can be run without interaction from any other user.
The technical mechanism is tied to how Git rebase operations are triggered during merges. Successful exploitation lets attackers execute arbitrary code remotely as the Gogs server process user. They do it through pull requests that use a malicious branch name to inject an “—exe”c flag into git rebase during the “Rebase before merging” merge operation.
If attackers get this far, the impact is broader than just taking over the server. Burges said they can compromise the server. read every repository on the instance—including other users’ private repositories—dump credentials such as password hashes. API tokens. SSH keys. and 2FA secrets. pivot to other network-accessible systems. and modify any hosted repository’s code.
Burges added that while the vulnerability resembles other argument injection issues Gogs addressed in recent years—CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930—it is tied to a different code path: Merge(). That specific path “was never patched,” according to Burges.
The reporting timeline has a frustrating gap. Burges said he reported the security flaw to the Gogs maintainers on March 17. The maintainers acknowledged the report on March 28. Yet, the researcher said they have not provided a patch or responded to further requests for a status update.
The exposure problem doesn’t end with the code. Internet security watchdog Shadowserver is now tracking more than 2,400 Gogs servers exposed online. Most are in Asia (1,894), with 319 in Europe. Shodan, meanwhile, found just over 1,000 IP addresses carrying a Gogs fingerprint.
That scale matters because Gogs has lived through similar incidents before. In early December. the Gogs security team patched another Gogs remote code execution vulnerability. CVE-2025-8110. which had been exploited in zero-day attacks to compromise hundreds of servers. Wiz security researchers—who discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July—reported the flaw to Gogs maintainers on July 17. Wiz says the maintainers acknowledged the report three months later, on October 30, and released patches in early January.
On January 12. CISA confirmed that CVE-2025-8110 was under active exploitation and added it to its catalog of vulnerabilities exploited in the wild. CISA also ordered Federal Civilian Executive Branch agencies to secure their servers by February 2. warning that this kind of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Now. with this new Gogs zero-day still without a CVE ID and with patches still pending. the immediate question for administrators is stark: how many instances are running with default settings right now. waiting for an attacker to register. toggle rebase merging. and turn a pull request into server-level control?.
Gogs zero-day remote code execution RCE argument injection Go Git service cybersecurity Rapid7 Jonah Burges Shadowserver Shodan CISA CVE-2025-8110 exploited in the wild