Gogs has fixed a critical zero-day argument injection flaw that could let authenticated attackers compromise Internet-facing instances, access private repositories, steal credentials, and alter hosted source code. The issue affects Gogs releases up to 0.14.2 and 0.15.0+dev, and users are urged to upgrade to 0.14.3 or apply mitigations such as disabling registration and limiting repository creation. #Gogs #Rapid7 #JonahBurgess
Keypoints
- Gogs patched a critical zero-day argument injection vulnerability.
- The flaw can expose private repositories and compromise Internet-facing instances.
- Attackers can steal credentials, move laterally, and modify source code.
- The issue affects all Gogs releases up to 0.14.2 and 0.15.0+dev.
- Users should upgrade to 0.14.3 or restrict registration and repository creation.