Executive Summary

CVE-2026-22592 is a Denial of Service (DoS) vulnerability in the Gogs Git service, specifically in its repository mirror synchronization feature.

The issue occurs when an authenticated user triggers a mirror synchronization on a repository that has had one or more files deleted before synchronization. If the repository no longer exists, the function responsible for retrieving the mirror record returns an error and a nil pointer. However, the error handling code incorrectly tries to access this nil pointer, causing the application to crash.

This crash results in a denial of service, making the server unavailable. The vulnerability affects Gogs versions up to and including 0.13.3 and has been fixed in versions 0.13.4 and later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user to cause the Gogs server to crash during repository mirror synchronization, resulting in a denial of service.

The impact is that the availability of the Git service is disrupted, potentially preventing users from accessing repositories or performing Git operations until the server is restarted or patched.

The severity is rated as moderate with a CVSS v3 base score of 6.5, indicating a significant impact on service availability but no direct impact on confidentiality or integrity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service symptoms in the Gogs service, especially during repository mirror synchronization operations.

Specifically, detection involves checking if the Gogs server crashes when an authenticated user triggers a mirror synchronization on a repository that has had files deleted or the repository itself has been deleted.

A practical approach is to simulate or monitor mirror synchronization requests to the endpoint `/superuser/gobypass403/settings` and observe if the server crashes or logs null pointer dereference errors related to `GetMirrorByRepoID`.

While no explicit commands are provided, you can use network monitoring tools like curl or Python scripts to send POST requests to the mirror synchronization endpoint with appropriate authentication and CSRF tokens to test for the vulnerability.

• Example: Use curl or a script to send repeated POST requests to `/superuser/gobypass403/settings` to trigger mirror synchronization.
• Monitor Gogs server logs for errors or crashes related to null pointer dereferences in `mirror.go`.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Gogs to version 0.13.4 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict authenticated users' ability to trigger mirror synchronization on repositories, especially those that may have deleted files or have been deleted."}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit repository deletions and mirror synchronization activities to prevent exploitation.'}] [1]

Useful 0 Not Useful 0