Executive Summary

CVE-2026-25921 is a critical security vulnerability in Gogs, an open source self-hosted Git service, specifically affecting its Large File Storage (LFS) feature prior to version 0.14.2.

The vulnerability arises because Gogs stores all LFS objects in a shared storage location without isolating them by repository, and it does not verify that the content of an uploaded LFS object matches its claimed SHA-256 hash (Object ID or OID).

This lack of verification allows an attacker to maliciously overwrite LFS objects across different repositories by uploading manipulated content under the same OID, leading to a supply-chain attack where users may unknowingly receive tampered files.

The issue was fixed by implementing strict content hash verification, atomic file creation to prevent overwrites, temporary file handling with rename semantics, and proper error handling to reject invalid uploads.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts by allowing attackers to perform supply-chain attacks through malicious overwriting of LFS objects across repositories.

Specifically, attackers can replace legitimate large files stored in Gogs with malicious or tampered content without detection, potentially distributing harmful files to users who clone or pull repositories.

Because the integrity of LFS objects is compromised, this can lead to compromised software builds, injection of malware, or other malicious activities that rely on trusted file contents.

The vulnerability has a high CVSS score of 9.3, indicating critical severity with high impact on integrity and some impact on availability, and it requires no privileges or user interaction to exploit.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the overwriting of Git Large File Storage (LFS) objects across repositories due to missing verification of the SHA-256 hash of uploaded content. Detection involves checking if your Gogs instance is running a vulnerable version (prior to 0.14.2) and monitoring for suspicious LFS upload activities where files with the same Object ID (OID) are overwritten or replaced.

Since the vulnerability exploits the acceptance of LFS uploads without verifying the content hash, you can detect potential exploitation by monitoring LFS upload endpoints for unusual or repeated uploads of the same OID from different repositories.

Suggested commands or steps to detect this vulnerability include:

• Check the Gogs version to confirm if it is prior to 0.14.2 (vulnerable): ``` gogs --version ```
• Inspect the LFS storage directory for multiple repositories sharing the same OID files, which should not normally happen if the fix is applied.
• Monitor HTTP logs or use network monitoring tools to detect repeated LFS upload requests with the same OID but different content hashes.
• Use file integrity tools or scripts to verify that stored LFS objects match their claimed SHA-256 hashes, indicating whether tampering has occurred.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Gogs installation to version 0.14.2 or later, where this vulnerability has been patched.

The patch includes strict verification of the SHA-256 hash of uploaded LFS objects, atomic file creation to prevent overwrites, and safe handling of temporary files during uploads.

Additional immediate steps include:

• Restrict access to the LFS upload endpoints to trusted users or networks until the upgrade can be applied.
• Audit existing LFS objects for potential tampering by verifying their content hashes against their OIDs.
• Clean up any temporary files in the LFS temporary storage directory to avoid stale or malicious files.
• Review and monitor logs for suspicious LFS upload activity that might indicate exploitation attempts.

Useful 0 Not Useful 0