<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Gogs (All Prior Versions) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/gogs-all-prior-versions/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:00:08 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/gogs-all-prior-versions/feed.xml" rel="self" type="application/rss+xml"/><item><title>Gogs Remote Code Execution via git rebase --exec Argument Injection (GHSA-qf6p-p7ww-cwr9)</title><link>https://feed.craftedsignal.io/briefs/2026-07-gogs-rce/</link><pubDate>Fri, 03 Jul 2026 11:00:08 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gogs-rce/</guid><description>Gogs, a self-hosted Git service, is vulnerable to a Critical (CVSS 9.9) Remote Code Execution (RCE) via `git rebase --exec` argument injection (GHSA-qf6p-p7ww-cwr9) during pull request merge operations, allowing an authenticated attacker to execute arbitrary commands as the Gogs server process user and achieve full server compromise.</description><content:encoded><![CDATA[<p>A critical Remote Code Execution (RCE) vulnerability, identified as GHSA-qf6p-p7ww-cwr9, affects Gogs, the self-hosted Git service, specifically versions 0.14.2, 0.15.0+dev (prior to commit <code>b53d3162</code>), and all prior versions supporting &quot;Rebase before merging&quot; merge styles. This vulnerability allows any authenticated user to achieve RCE on the underlying server by crafting a malicious branch name that injects the <code>--exec</code> flag into the <code>git rebase</code> command during a pull request merge. The exploit results in privilege escalation from a regular user to server-level code execution, enabling full compromise, cross-tenant data breaches, and supply chain attacks. The severity is heightened by Gogs's default open registration (<code>DISABLE_REGISTRATION = false</code>) and the fact that any user can create a repository and enable the &quot;Rebase before merging&quot; option without administrator intervention, effectively making the vulnerability exploitable with minimal prerequisites and leaving minimal traces in logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker obtains an authenticated account on the Gogs instance, either through open registration or by compromising existing credentials.</li>
<li><strong>Repository Setup</strong>: The attacker creates their own repository (or gains write access to one where &quot;Rebase before merging&quot; is enabled) and then enables the &quot;Rebase before merging&quot; option in the repository settings.</li>
<li><strong>Malicious Branch Creation</strong>: The attacker creates a new branch in their repository with a specially crafted name, such as <code>--exec=touch${IFS}/tmp/rce_proof</code>, which abuses the <code>git rebase --exec</code> argument.</li>
<li><strong>Pull Request Submission</strong>: The attacker creates a pull request (PR) targeting their own repository's base branch from their malicious branch.</li>
<li><strong>Merge Operation Initiation</strong>: The attacker initiates the &quot;Rebase before merging&quot; operation for the malicious pull request through the Gogs web interface.</li>
<li><strong>Remote Code Execution</strong>: During the rebase process, Gogs executes the <code>git rebase</code> command with the attacker's crafted branch name. Git interprets <code>--exec=...</code> as an argument, causing the embedded command (<code>touch /tmp/rce_proof</code> or a base64-encoded payload) to execute on the Gogs server as the Gogs process user (typically <code>git</code>).</li>
<li><strong>Server Compromise/Impact</strong>: Despite a subsequent <code>git checkout</code> failure leading to an HTTP 500 error in Gogs, the RCE has already successfully completed, giving the attacker full control over the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to severe consequences, including full server compromise. An attacker gains arbitrary command execution as the Gogs process user, which can lead to cross-tenant data breaches, allowing them to read all repositories on the instance, including other users' private code. This can also facilitate credential theft, providing access to password hashes, API tokens, SSH keys, and 2FA secrets for every user. Furthermore, the attacker can use the compromised server for lateral movement into other internal systems and can conduct supply chain attacks by silently modifying any hosted repository's code. This critical vulnerability affects all Gogs installations regardless of the operating system (Linux, macOS, Windows) or deployment method (binary, Docker, source), posing a significant threat to the integrity and confidentiality of code hosted on Gogs instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Upgrade Gogs to a version that contains the fix for GHSA-qf6p-p7ww-cwr9. As of the advisory, a patch was not explicitly mentioned, but the issue is tied to <code>b53d3162</code> commit. Monitor Gogs releases for official patch availability.</li>
<li><strong>Implement Process Monitoring</strong>: Deploy the Sigma rule in this brief to your SIEM to detect <code>git rebase</code> commands containing the <code>--exec=</code> argument. Ensure your endpoint detection and response (EDR) or Sysmon configuration captures process creation events, including command-line arguments and parent-child relationships, on Gogs server hosts.</li>
<li><strong>Review Gogs Configuration</strong>: If patching is not immediately possible, consider disabling the &quot;Rebase before merging&quot; option globally or restricting user permissions to prevent its enablement on repositories until a patch is applied.</li>
<li><strong>Monitor Gogs Application Logs</strong>: Regularly review Gogs application logs for error messages indicating <code>git checkout '--exec=&lt;...&gt;': exit status 128 - error: unknown option \</code>exec=&lt;...&gt;''`, which signifies a post-RCE attempt to check out the malicious branch.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rce</category><category>gogs</category><category>git</category><category>code-repository</category><category>vulnerability</category><category>argument-injection</category><category>server-side-request-forgery</category></item></channel></rss>