CVE-2026-25242: Gogs RCE — Critical — Patch Now [PoC]

Overview

A critical security vulnerability has been identified in Gogs, a popular self-hosted Git service. This flaw allows unauthenticated attackers to upload any file to a vulnerable server, effectively turning it into an unsecured public file host.

Vulnerability Details

In affected versions (0.13.4 and below), two specific web endpoints-/releases/attachments and /issues/attachments-do not properly check if a user is logged in when the global RequireSigninView setting is disabled. This setting is disabled by default. Consequently, any remote user can directly upload files without providing any credentials. Standard CSRF (Cross-Site Request Forgery) protections are ineffective because the server still issues session cookies for these requests.

Potential Impact

The impact of this vulnerability is severe and multifaceted:

• Disk Exhaustion: Attackers can rapidly fill the server’s disk space with large or numerous files, causing a denial of service and disrupting the Git service and any other applications on the host.
• Malware Hosting: The server can be used to store and distribute malicious software, scripts, or phishing pages, damaging the reputation of the organization hosting the Gogs instance.
• Content Hosting: The instance could be abused to host illegal or unauthorized content, creating legal and operational risks.
• Data Integrity: The integrity and intended use of the server are completely compromised.

This vulnerability is remotely exploitable without any authentication, contributing to its critical severity rating of 9.8 on the CVSS scale.

Remediation and Mitigation

Immediate action is required to secure affected Gogs instances.

Primary Fix: The only complete solution is to upgrade Gogs to version 0.14.1 or later. This update corrects the authorization check on the affected endpoints. Always test upgrades in a staging environment before applying them to production.

Immediate Mitigation: If upgrading is not immediately possible, enable the RequireSigninView global setting. This will force authentication for all views and should block unauthenticated access to the upload endpoints.

1. Navigate to Administration Panel -> Configuration -> Server.
2. Set REQUIRE_SIGNIN_VIEW to true.
3. Restart your Gogs application.

Additional Measures:

• Review server directories (notably the attachments folders) for any suspicious files uploaded since installation.
• Ensure your Gogs instance is not directly exposed to the internet unless necessary. Place it behind a firewall or reverse proxy with strict access controls.
• Monitor server disk usage and system logs for unusual activity.

All users and administrators of Gogs versions 0.13.4 and below should apply the upgrade or mitigation without delay.