Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24135 is a path traversal vulnerability in the Gogs open source Git service, specifically in the updateWikiPage function. It affects versions 0.13.3 and earlier.'}, {'type': 'paragraph', 'content': "The issue occurs because the old_title parameter, used when renaming wiki pages, is not properly sanitized before being used to delete files on the server. An authenticated user with write access to a repository's wiki can manipulate this parameter to delete arbitrary .md files outside the intended wiki directory by including path traversal sequences."}, {'type': 'paragraph', 'content': 'This means the attacker can delete important files on the server by tricking the system into removing files it should not, potentially causing data loss or denial of service.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to serious impacts including:'}, {'type': 'list_item', 'content': 'Denial of Service (DoS) by deleting critical configuration or data files on the server.'}, {'type': 'list_item', 'content': "Data loss through deletion of other users' wiki pages or important documentation."}, {'type': 'paragraph', 'content': 'Since the deletion is limited to files with a .md extension, the impact depends on what markdown files exist on the server, but critical files could be targeted.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /repo/wiki/edit endpoint in Gogs, especially those containing the old_title parameter with path traversal sequences such as ../../../../.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to intercept and inspect HTTP requests made by authenticated users with write access to repository wikis.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to /repo/wiki/edit, or using web server logs to search for suspicious old_title parameter values.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP POST requests to the wiki edit endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /repo/wiki/edit'"}, {'type': 'list_item', 'content': "Search web server logs for suspicious old_title parameters containing path traversal sequences: grep 'old_title=.*\\.\\.\\/\\.\\.\\/' /path/to/gogs/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected deletions of .md files outside the wiki directory on the server filesystem may indicate exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Gogs to version 0.13.4 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, restrict write access to repository wikis to trusted users only, as exploitation requires authenticated write access.

Additionally, monitor and sanitize the old_title parameter in any custom proxies or middleware to prevent path traversal sequences.

The patch involves sanitizing the old_title parameter before it is used to delete files, for example by applying functions like ToWikiPageName or path.Clean and basename validation.

Useful 0 Not Useful 0