CVE-2025-64175
Cross-Account 2FA Bypass in Gogs Enables Account Takeover
Publication date: 2026-02-06
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-64175 is a high-severity vulnerability in Gogs, an open-source self-hosted Git service, that allows bypassing two-factor authentication (2FA). The issue occurs because the recovery code validation function does not verify that a recovery code belongs to the authenticating user. Instead, it searches globally for any unused recovery code without checking the user ID.'}, {'type': 'paragraph', 'content': "This means that if an attacker knows a victim's username and password, they can use any unused recovery code, including one from their own account, to bypass the victim's 2FA. This flaw enables full account takeover by rendering 2FA ineffective."}, {'type': 'paragraph', 'content': 'The vulnerability affects all Gogs versions supporting 2FA since April 5, 2017, and was patched in versions 0.13.4 and 0.14.0+dev.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts including full account takeover by attackers who have the victim's username and password."}, {'type': 'paragraph', 'content': 'Because 2FA is bypassed, attackers can access sensitive data, exfiltrate information, and potentially compromise supply chains in environments using Gogs.'}, {'type': 'paragraph', 'content': 'This affects public Gogs instances, developer or maintainer accounts, and enterprise self-hosted servers, undermining the security protections normally provided by 2FA.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from the UseRecoveryCode function in Gogs, which does not scope recovery codes by user, allowing cross-account 2FA bypass. Detection involves verifying if your Gogs instance is running a vulnerable version (0.13.3 or prior) and checking if 2FA recovery codes are being improperly validated.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, monitor authentication logs for unusual 2FA recovery code usage, especially recovery codes being used across different user accounts.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use commands to check the Gogs version installed, for example:'}, {'type': 'list_item', 'content': 'Check Gogs version: `gogs --version` or check the version in the web interface or deployment metadata.'}, {'type': 'list_item', 'content': "Search authentication logs for recovery code usage patterns, e.g., using `grep` on log files: `grep 'recovery code' /path/to/gogs/logs/*`."}, {'type': 'list_item', 'content': 'Audit database queries or logs to detect if recovery codes are being used by multiple users.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Gogs to a patched version where this vulnerability is fixed, specifically version 0.13.4 or later.
Until the upgrade can be performed, consider disabling 2FA recovery code usage or enforcing additional verification steps to prevent cross-account recovery code reuse.
Additionally, monitor for suspicious login activity and reset 2FA recovery codes for all users to invalidate any potentially compromised codes.