Critical Argument Injection Vulnerability in Gogs Enables Remote Code Execution

A critical zero-day vulnerability has been identified in Gogs, the widely used self-hosted Git service. This flaw allows authenticated users to perform arbitrary command execution on the host server, potentially leading to a complete system compromise. Discovered by Rapid7 Labs, the vulnerability carries a severe CVSS v4 score of 9.4.

As of this writing, no official patch has been released by the Gogs maintainers. This leaves a vast landscape of internet-facing and internal Gogs deployments vulnerable to exploitation.

Technical Deep Dive: Argument Injection via Git Rebase

The root cause of this vulnerability lies in the application’s handling of the “Rebase before merging” feature during pull request workflows. When this setting is toggled on, Gogs invokes a sub-process to execute a git rebase command to integrate commits from a feature branch into a base branch.

The technical failure occurs because the application passes the branch name directly into the command-line argument string without utilizing a safe argument separator (such as --). Because the underlying Git binary supports the --exec flag—which instructs Git to run a specific shell command after each commit—an attacker can weaponize this behavior.

By crafting a malicious branch name that contains the --exec flag followed by a payload, the attacker forces the Git process to interpret the branch name not as a string, but as a functional command-line option. This results in Remote Code Execution (RCE) under the context of the user running the Gogs service (typically a dedicated git or service account).

Exploitability and Attack Surface

What elevates this from a standard bug to a critical threat is the extremely low barrier to entry. The exploit does not require administrative privileges, nor does it require interaction from a legitimate administrator. In many default configurations, Gogs allows open user registration and unrestricted repository creation.

An attacker can follow a simple, automated path:

  • Register a new account.
  • Create a personal repository.
  • Enable the “Rebase before merging” setting.
  • Create a branch with a payload-laden name (e.g., --exec=).
  • Initiate a pull request to trigger the rebase.

This entire chain is self-contained within the attacker’s own environment, making it difficult for traditional perimeter defenses to intercept. Even in hardened environments where registration is disabled, any user with write access to a repository can leverage this flaw.

Post-Exploitation Impact

Once the attacker achieves RCE, they inherit the permissions of the Gogs process. This provides a foothold to:

  • Exfiltrate Intellectual Property: Read every repository on the server, including private source code and sensitive configuration files.
  • Credential Theft: Access the backend database to dump password hashes, API tokens, SSH private keys, and 2FA secrets.
  • Lateral Movement: Use the compromised server as a pivot point to scan and attack other internal systems within the network.
  • Supply Chain Compromise: Silently modify source code directly on the filesystem, bypassing application-level audit logs and commit signing requirements.

Rapid7 has confirmed that versions Gogs 0.14.2 and 0.15.0+dev are definitively impacted, though all versions supporting the rebase feature should be considered at risk.

Metasploit module demonstration
Metasploit module successfully obtaining a command shell session on a Gogs 0.14.2 instance running on Ubuntu. (Source: Rapid7)

Mitigation and Defense Strategies

The vulnerability persists because the merge logic utilizes a low-level process execution wrapper rather than a hardened API. While many other Git operations in Gogs were previously updated to include the --end-of-options separator, the rebase call was overlooked.

Because a Metasploit module already exists to automate this exploit, immediate action is required. Since a patch is currently unavailable, administrators should implement the following mitigations:

  1. Disable Public Registration: Prevent unauthorized users from creating accounts.
  2. Restrict Repository Creation: Limit the ability to create new repositories to trusted personnel only.
  3. Audit Permissions: Strictly limit write and merge permissions to highly trusted users.
  4. Network Segmentation: Place Gogs instances behind a VPN or an identity-aware access gateway.
  5. Log Monitoring: Actively scan server logs for unusual --exec strings or HTTP 500 errors during merge operations.

Indicators of Compromise (IoCs)

[E] ...merge: git checkout '--exec=<...>': exit status 128 - error: unknown option `exec=<...>'

Security Note: If you observe suspicious branch names containing shell characters or unexpected errors in your Git logs, treat the instance as compromised and initiate your incident response protocol immediately.

Related Articles

Back to top button