Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-64111 is a remote code execution (RCE) vulnerability in the "put contents" API of the Gogs Git service, affecting versions up to and including 0.13.3. The vulnerability exists because a previous security patch was insufficient, allowing attackers to update files within the .git directory via the API.'}, {'type': 'paragraph', 'content': 'Specifically, the function responsible for updating repository files, `UpdateRepoFile`, performs security checks only under certain conditions. However, when called through the API router, these checks are bypassed, enabling unauthorized modification of critical files such as `.git/config`.'}, {'type': 'paragraph', 'content': 'Attackers can exploit this flaw by pushing malicious content, including symbolic link files, to the repository. This ultimately allows them to execute arbitrary commands remotely on the server hosting the Gogs service.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands on the server running the Gogs Git service without any authentication.

Such remote code execution can lead to full compromise of the affected system, including unauthorized access to sensitive data, disruption of services, and potential use of the server as a foothold for further attacks within the network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Gogs instance is running a vulnerable version (0.13.3 or earlier) and by monitoring for unauthorized modifications to files within the .git directory via the "put contents" API.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for suspicious API calls that attempt to update files like .git/config or push symlink files to repositories.'}, {'type': 'paragraph', 'content': 'While no exact commands are provided in the resources, a general approach would be to audit API logs for calls to the repository contents update endpoints and verify the version of Gogs running.'}, {'type': 'list_item', 'content': 'Check Gogs version: `gogs --version` or check the version in the web interface.'}, {'type': 'list_item', 'content': 'Review API access logs for suspicious PUT requests to endpoints related to repository contents.'}, {'type': 'list_item', 'content': 'Inspect the .git directory in repositories for unexpected changes, especially to configuration files or presence of symlink files.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade your Gogs installation to version 0.13.4 or later, as the vulnerability has been patched starting from that version.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict access to the "put contents" API to trusted users only and monitor for suspicious activity involving updates to the .git directory.'}, {'type': 'paragraph', 'content': 'Additionally, review repository contents for unauthorized changes, especially symlink files or modifications to critical files like .git/config.'}] [1]

Useful 0 Not Useful 0