Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-64175 is a high-severity vulnerability in Gogs, an open-source self-hosted Git service, that allows bypassing two-factor authentication (2FA). The issue occurs because the recovery code validation function does not verify that a recovery code belongs to the authenticating user. Instead, it searches globally for any unused recovery code without checking the user ID.'}, {'type': 'paragraph', 'content': "This means that if an attacker knows a victim's username and password, they can use any unused recovery code, including one from their own account, to bypass the victim's 2FA. This flaw enables full account takeover by rendering 2FA ineffective."}, {'type': 'paragraph', 'content': 'The vulnerability affects all Gogs versions supporting 2FA since April 5, 2017, and was patched in versions 0.13.4 and 0.14.0+dev.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts including full account takeover by attackers who have the victim's username and password."}, {'type': 'paragraph', 'content': 'Because 2FA is bypassed, attackers can access sensitive data, exfiltrate information, and potentially compromise supply chains in environments using Gogs.'}, {'type': 'paragraph', 'content': 'This affects public Gogs instances, developer or maintainer accounts, and enterprise self-hosted servers, undermining the security protections normally provided by 2FA.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from the UseRecoveryCode function in Gogs, which does not scope recovery codes by user, allowing cross-account 2FA bypass. Detection involves verifying if your Gogs instance is running a vulnerable version (0.13.3 or prior) and checking if 2FA recovery codes are being improperly validated.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, monitor authentication logs for unusual 2FA recovery code usage, especially recovery codes being used across different user accounts.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use commands to check the Gogs version installed, for example:'}, {'type': 'list_item', 'content': 'Check Gogs version: `gogs --version` or check the version in the web interface or deployment metadata.'}, {'type': 'list_item', 'content': "Search authentication logs for recovery code usage patterns, e.g., using `grep` on log files: `grep 'recovery code' /path/to/gogs/logs/*`."}, {'type': 'list_item', 'content': 'Audit database queries or logs to detect if recovery codes are being used by multiple users.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Gogs to a patched version where this vulnerability is fixed, specifically version 0.13.4 or later.

Until the upgrade can be performed, consider disabling 2FA recovery code usage or enforcing additional verification steps to prevent cross-account recovery code reuse.

Additionally, monitor for suspicious login activity and reset 2FA recovery codes for all users to invalidate any potentially compromised codes.

Useful 0 Not Useful 0