Link following in gogs - CVE-2024-56731
Published: April 27, 2026
Vulnerability identifier: #VU128073
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-56731
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper handling of symbolic links in file deletion logic when deleting files through a symbolic link that points to the .git directory. A remote attacker can create a symbolic link that points to the .git directory and delete internal repository files to execute arbitrary commands.
Successful exploitation can lead to command execution with the privileges of the account specified by RUN_USER in the configuration.
How to mitigate CVE-2024-56731
Install security update from vendor's website.