SB2026042779 - Multiple vulnerabilities in gogs

Description

This security bulletin contains information about 2 vulnerabilities.

1) Link following (CVE-ID: CVE-2024-56731)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to improper handling of symbolic links in file deletion logic when deleting files through a symbolic link that points to the .git directory. A remote attacker can create a symbolic link that points to the .git directory and delete internal repository files to execute arbitrary commands.

Successful exploitation can lead to command execution with the privileges of the account specified by RUN_USER in the configuration.

2) Cross-site scripting (CVE-ID: CVE-2025-47943)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary javascript code in the victim's browser.

The vulnerability exists due to cross-site scripting in the PDF renderer using pdfjs-1.4.20 when previewing an uploaded PDF file. A remote user can upload a specially crafted PDF file to execute arbitrary javascript code in the victim's browser.

User interaction is required to click on the uploaded file for preview.

Remediation

Install update from vendor's website.

References

• https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7
• https://github.com/advisories/GHSA-wj44-9vcg-wjq7
• https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v