> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Gogs (Go Git Service) is a lightweight, self-hosted Git service written in Go. It supports source code hosting, issue tracking, permission control, and webhooksβall under the MIT license.
In June 2025, Gogs released a critical security update to patch a remote command execution (RCE) vulnerability. This flaw allows authenticated attackers to execute arbitrary system commands on the server. Initial testing by Chaitin Security confirms the vulnerability affects only Unix-like systems. Windows deployments are not affected. If you're running Gogs on Linux, upgrade immediately.
Vulnerability Overview
Root Cause:
The flaw stems from a bypass of the original patch for CVE-2024-39931.
By abusing symbolic links, attackers can delete files under the .git directory and overwrite sensitive config files. This leads to full remote code execution (RCE), enabling attackers to take control of the server.
Impact:
- Execute arbitrary system commands
- Take full control of the server
- Exfiltrate data or compromise your DevOps pipeline
Risk Summary
| Category | Info |
|---|---|
| Vulnerability Type | Command Injection (RCE) |
| Severity | High |
| Access Required | Authenticated User |
| User Interaction | None |
| System Affected | Linux only (not Windows) |
| Default Config Affected | Yes |
| Exploit Availability | No public POC yet |
| Fix Difficulty | Low β Upgrade available |
Affected Versions
- Gogs < 0.13.3
How to Fix It
Temporary Mitigation
If you can't upgrade immediately, disable user registration in your Gogs config to reduce risk from malicious account creation:
[auth]
DISABLE_REGISTRATION = true
After editing
app.ini, restart the Gogs service for changes to take effect.
Official Patch
Upgrade to Gogs v0.13.3 or higher, which includes the security fix:
π Download v0.13.3
Vulnerability Reproduction (PoC)
*Visual proof-of-concept available below.
Reference
Stay safe, patch fast, and donβt underestimate low-profile services like Gogsβtheyβre often the weakest link in your CI/CD chain.
Join the SafeLine Community
Want to try a powerful, open source WAF?
Top comments (0)