SB2026052946 - Argument injection in Gogs

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: N/A)

CWE-ID: CWE-88 - Argument Injection or Modification

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to argument injection in the Merge() function in internal/database/pull.go when processing a pull request with a malicious branch name during the "Rebase before merging" operation. A remote user can create a pull request with a specially crafted branch name to execute arbitrary code.

Exploitation requires rebase merging to be enabled on the target repository and does not require interaction from other users.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
• https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L282