CVE-2025-64719
Deferred Deferred - Pending Action

Denial of Service in Gogs via Commit Recovery Failure

Vulnerability report for CVE-2025-64719, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. A malicious user who has the rights to create a new file on a repository or wiki page can cause a denial of service (DoS) condition. Specifically, when the pages that list files attempt to recover commit information, errors can occur that cause the page to return an HTTP 500 error. This stops the page from rendering and makes the web interface unusable for that repository or wiki.

The issue is located in the files internal/route/repo/wiki.go and internal/route/repo/view.go, where error handling during commit information recovery is insufficient, leading to the DoS condition. This vulnerability was fixed in version 0.14.3.

Impact Analysis

The impact of this vulnerability is a denial of service condition on the affected Gogs repository or wiki pages. A malicious user with file creation rights can trigger HTTP 500 errors on pages listing files, causing those pages and the web interface to become unusable. This disrupts normal access and use of the repository or wiki, potentially halting development or collaboration activities.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue has been fixed.

Detection Guidance

This vulnerability occurs in Gogs versions prior to 0.14.3 when a malicious user with rights to create new files triggers a denial of service by causing HTTP 500 errors on pages listing files or wiki pages.

To detect this vulnerability on your system, you can check the version of Gogs you are running. If it is older than 0.14.3, your system is potentially vulnerable.

There are no specific commands provided to detect exploitation attempts or the vulnerability itself in the provided context.

A general approach to detect the issue could include monitoring your web server logs for HTTP 500 errors on repository or wiki pages, especially after file creation actions.

Compliance Impact

The vulnerability in Gogs prior to version 0.14.3 causes a denial of service condition by returning HTTP error 500 on certain repository or wiki pages, making the web interface unusable for those pages.

This issue affects availability but does not impact confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of personal data confidentiality, integrity, and availability, this vulnerability primarily impacts the availability aspect.

However, there is no indication from the provided information that this vulnerability leads to unauthorized data access or data breaches, which are typically the main compliance concerns under these regulations.

Therefore, while this denial of service could affect system availability and potentially disrupt services, it does not directly cause non-compliance with GDPR or HIPAA related to data privacy or security.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart