SB2025121159 - Multiple vulnerabilities in gogs
Published: December 11, 2025 Updated: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-55947)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can write files to an arbitrary location on the system and gain SSH access to the server, leading to remote code execution.
2) Input validation error (CVE-ID: CVE-2024-39933)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in the release tagging functionality when creating new tags. A remote user can inject unintended Git options to read arbitrary files on the system and disclose sensitive information.
Exploitation requires an account with at least one SSH key.
3) Input validation error (CVE-ID: CVE-2024-39932)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to write to arbitrary files on the filesystem.
The vulnerability exists due to improper input validation in the changes preview feature when processing unintended Git options for diff preview. A remote user can supply crafted arguments to write to arbitrary files on the filesystem.
Exploitation can force a re-installation of the instance and allow access to and modification of other users' hosted code on the same instance.
4) Input validation error (CVE-ID: CVE-2024-39931)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands and access and alter other users' code.
The vulnerability exists due to improper input validation in internal file deletion handling when deleting .git files. A remote user can delete specially crafted internal files to execute arbitrary commands and access and alter other users' code.
Code execution occurs with the privileges of the account specified by RUN_USER in the configuration.
5) Input validation error (CVE-ID: CVE-2024-39930)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands and access and alter other users' code.
The vulnerability exists due to improper input validation in the built-in SSH server when processing the env command. A remote user can send a specially crafted command to execute arbitrary commands and access and alter other users' code.
Exploitation requires the built-in SSH server to be enabled and the user account to have at least one SSH key.
6) Input validation error (CVE-ID: CVE-2024-54148)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper input validation in the repository web editor when editing a crafted symlink file while changing the file name. A remote user can commit and edit a crafted symlink file to execute arbitrary code on the server.
Exploitation requires access to a repository through the web-based file editing workflow.
Remediation
Install update from vendor's website.
References
- https://github.com/gogs/gogs/commit/9a9388ace25bd646f5098cb9193d983332c34e41
- https://github.com/gogs/gogs/issues/7582
- https://github.com/gogs/gogs/pull/7859
- https://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55gg
- https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg
- https://www.cve.org/CVERecord?id=CVE-2024-39933
- https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c
- https://www.cve.org/CVERecord?id=CVE-2024-39932
- https://github.com/gogs/gogs/security/advisories/GHSA-ccqv-43vm-4f3w
- https://www.cve.org/CVERecord?id=CVE-2024-39931
- https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3
- https://www.cve.org/CVERecord?id=CVE-2024-39930
- https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx