Main Vulnerability Database Vulnerabilities #VU128088

Server-Side Request Forgery (SSRF) in gogs - CVE-2022-1285

Published: May 31, 2022 / Updated: April 27, 2026

Vulnerability identifier: #VU128088

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-1285

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
gogs

Software vendor:
gogs.io

Description

The vulnerability allows a remote user to discover services in the internal network.

The vulnerability exists due to server-side request forgery in webhook functionality when processing user-supplied webhook payload URLs. A remote user can supply a webhook payload URL to probe internal network services to discover services in the internal network.

All installations accepting public traffic are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/gogs/gogs/security/advisories/GHSA-w689-557m-2cvq
https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/

Server-Side Request Forgery (SSRF) in gogs - CVE-2022-1285

Description

Remediation

External links

Please verify you're human