CVE-2025-64719
Received Received - Intake
Denial of Service in Gogs via Commit Recovery Failure

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2025-64719
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. A malicious user who has the rights to create a new file on a repository or wiki page can cause a denial of service (DoS) condition. Specifically, when the pages that list files attempt to recover commit information, errors can occur that cause the page to return an HTTP 500 error. This stops the page from rendering and makes the web interface unusable for that repository or wiki.

The issue is located in the files internal/route/repo/wiki.go and internal/route/repo/view.go, where error handling during commit information recovery is insufficient, leading to the DoS condition. This vulnerability was fixed in version 0.14.3.

Impact Analysis

The impact of this vulnerability is a denial of service condition on the affected Gogs repository or wiki pages. A malicious user with file creation rights can trigger HTTP 500 errors on pages listing files, causing those pages and the web interface to become unusable. This disrupts normal access and use of the repository or wiki, potentially halting development or collaboration activities.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart