The widely used self-hosted Git service Gogs is currently vulnerable to a critical zero-day flaw that permits remote code execution. According to cybersecurity firm Rapid7, the vulnerability has been assigned a CVSS score of 9.4 and stems from an argument injection issue that can be exploited by attackers with authenticated access. They can exploit this flaw through pull requests containing malicious branch names.
Rapid7's technical analysis reveals that the flaw arises during the 'Rebase before merging' operation in Gogs. This operation, while not enabled by default, can be activated by any repository administrator. Once enabled, attackers can exploit it by injecting the '--exec' flag into the 'git rebase' command during the merge process, leading to command execution with the same privileges as the Gogs server process user.
The vulnerability's impact is significant. An attacker can gain control over the server, access all repositories on the instance including private ones, and potentially compromise other systems on the network. Since Gogs installations typically have open registration and no restrictions on repository creation, an attacker can easily create an account and execute the exploit on any default-configured instance.
Gogs servers running on Windows, Linux, and macOS are affected, particularly those with multiple user accounts. Rapid7 has provided a Metasploit module to automate the exploit and released indicators of compromise to aid in detecting potential breaches. Despite being notified in March, Gogs' maintainers have yet to release a patch. This marks the second zero-day vulnerability disclosed in Gogs within six months, following a similar disclosure in December.


