Rapid7 Labs found a critical argument injection flaw in Gogs that lets any authenticated user achieve remote code execution through a malicious branch name during “Rebase before merging.” The issue affects Gogs 0.14.2 and 0.15.0+dev, has no patch at publication time, and can expose repositories, credentials, and the entire server on default-configured instances. #Gogs #Rapid7Labs #GHSA-qf6p-p7ww-cwr9
Keypoints
- Rapid7 Labs discovered a critical CWE-88 argument injection vulnerability in Gogs with a CVSSv4 score of 9.4.
- A malicious branch name can inject the
--execflag intogit rebaseduring the “Rebase before merging” workflow, leading to remote code execution. - The exploit can be carried out by any authenticated user and often requires no admin privileges, no interaction from other users, and no access beyond the attacker’s own account.
- Default Gogs settings make exploitation easy because registration is enabled by default and repo creation is unrestricted on many instances.
- Successful exploitation can expose all repositories, steal credentials such as password hashes and API tokens, pivot to other systems, and modify hosted repository code.
- Gogs 0.14.2 and 0.15.0+dev (commit b53d3162) were confirmed affected, and all prior versions supporting rebase merging are likely vulnerable.
- No patch was available at publication time; mitigation focuses on restricting registration and repository creation.
MITRE Techniques
- [T1059.004] Unix Shell – The injected rebase argument is executed via shell command interpretation on Linux/macOS systems (‘run a shell command via sh -c after replaying each commit’).
- [T1059.003] Windows Command Shell – On Windows, the payload is delivered through a script that invokes cmd.exe to execute a batch file (‘cmd.exe //c .abcdef.bat’).
- [T1202] Indirect Command Execution – The attacker abuses Git’s
--execfunctionality so a command is run during rebase (‘–exec flag that tells Git to run a shell command’). - [T1068] Exploitation for Privilege Escalation – The flaw lets an authenticated user turn repository access into server-side command execution (‘achieve remote code execution on the server’).
- [T1552.001] Credentials in Files – The attacker can dump stored secrets from the Gogs database, including hashes and tokens (‘dump credentials (password hashes, API tokens, SSH keys, 2FA secrets)’).
- [T1041] Exfiltration Over C2 Channel – The article describes stealing data from the server and repositories after gaining command execution (‘read every repository on the instance’).
- [T1078] Valid Accounts – Exploitation requires an authenticated user or existing write access to a repository (‘any authenticated user’ and ‘write access to any repository’).
Indicators of Compromise
- [Log entries ] Gogs server error logs may record the failed merge attempt with the malicious branch name embedded –
git checkout '--exec=': exit status 128,error: unknown option `exec=' - [Branch names ] Suspicious repository branches beginning with
--may indicate exploitation –--exec=touch${IFS}/tmp/rce_proof,--exec=sh${IFS}.abcdef - [Pull request history ] Failed or suspicious PRs created during the attack may remain in history – one malicious PR and other related PR artifacts
- [Git history / payload files ] On Windows targets, exploit files can remain in repository history –
.abcdef,.abcdef.bat - [API tokens ] The Metasploit module creates a persistent Gogs token during exploitation –
msf_, and other unexpected application tokens - [Repository filesystem artifacts ] The payload file is written to the server-side bare git directory and may persist after the attack – one payload script file and related temp artifacts
Read more: https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed