CVE-2025-64111
Remote Code Execution via .git Directory in Gogs
Publication date: 2026-02-06
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-64111 is a remote code execution (RCE) vulnerability in the "put contents" API of the Gogs Git service, affecting versions up to and including 0.13.3. The vulnerability exists because a previous security patch was insufficient, allowing attackers to update files within the .git directory via the API.'}, {'type': 'paragraph', 'content': 'Specifically, the function responsible for updating repository files, `UpdateRepoFile`, performs security checks only under certain conditions. However, when called through the API router, these checks are bypassed, enabling unauthorized modification of critical files such as `.git/config`.'}, {'type': 'paragraph', 'content': 'Attackers can exploit this flaw by pushing malicious content, including symbolic link files, to the repository. This ultimately allows them to execute arbitrary commands remotely on the server hosting the Gogs service.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands on the server running the Gogs Git service without any authentication.
Such remote code execution can lead to full compromise of the affected system, including unauthorized access to sensitive data, disruption of services, and potential use of the server as a foothold for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Gogs instance is running a vulnerable version (0.13.3 or earlier) and by monitoring for unauthorized modifications to files within the .git directory via the "put contents" API.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for suspicious API calls that attempt to update files like .git/config or push symlink files to repositories.'}, {'type': 'paragraph', 'content': 'While no exact commands are provided in the resources, a general approach would be to audit API logs for calls to the repository contents update endpoints and verify the version of Gogs running.'}, {'type': 'list_item', 'content': 'Check Gogs version: `gogs --version` or check the version in the web interface.'}, {'type': 'list_item', 'content': 'Review API access logs for suspicious PUT requests to endpoints related to repository contents.'}, {'type': 'list_item', 'content': 'Inspect the .git directory in repositories for unexpected changes, especially to configuration files or presence of symlink files.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade your Gogs installation to version 0.13.4 or later, as the vulnerability has been patched starting from that version.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict access to the "put contents" API to trusted users only and monitor for suspicious activity involving updates to the .git directory.'}, {'type': 'paragraph', 'content': 'Additionally, review repository contents for unauthorized changes, especially symlink files or modifications to critical files like .git/config.'}] [1]