Back to Intelligence

Unpatched Gogs Argument Injection (CVSS 9.4): Critical RCE Detection and Mitigation

SA
Security Arsenal Team
May 28, 2026
6 min read

Executive Summary:

A critical argument injection vulnerability (CWE-88) has been discovered in Gogs, a widely used self-hosted Git service. Tracked as a CVSSv4 9.4 vulnerability, this flaw allows any authenticated user to execute arbitrary code on the underlying server operating system. Because Gogs defaults to open registration, this vulnerability effectively exposes many public-facing instances to unauthenticated remote code execution (RCE). At the time of this publication, no official patch is available.

Defenders must act immediately to mitigate this risk, as exploitation is trivial to perform and requires no administrative privileges or social engineering.

Technical Analysis

Affected Products & Versions:

  • Product: Gogs (Go Git Service)
  • Affected Versions: All current versions (Unpatched as of publication date).
  • Platform: Linux, Windows, macOS (any platform hosting Gogs).

Vulnerability Details:

  • CVE Identifier: Pending assignment (Rapid7 Labs Disclosure).
  • CVSS Score: 9.4 (Critical) [CVSS v4.0].
  • Vulnerability Type: Argument Injection (CWE-88).

Attack Chain & Mechanics: The vulnerability resides in how Gogs handles Git operations during Pull Request (PR) merging, specifically when the "Rebase before merging" option is selected.

  1. Initial Access: An attacker registers a user account on the target Gogs instance. This is often possible by default unless DISABLE_REGISTRATION is explicitly set to true.
  2. Preparation: The attacker creates a new branch with a name containing malicious arguments, specifically injecting the --exec flag (e.g., --exec=malignant_command.sh).
  3. Trigger: The attacker opens a Pull Request and selects the "Rebase before merging" option.
  4. Exploitation: When Gogs attempts to rebase the branch, it constructs a git rebase command. Due to insufficient argument sanitization, the branch name is passed directly to the command line. The injected --exec flag causes Git to execute the attacker's payload on the server.

Exploitation Status:

  • Publicly Known: Yes, disclosed by Rapid7 Labs.
  • Patch Availability: None. The vendor has not yet released a fix.
  • Active Exploitation: Theoretical to imminent. Given the ease of exploitation and the lack of a patch, security teams should assume active scanning and exploitation attempts are occurring.

Detection & Response

Because this vulnerability targets the underlying OS process execution via the web application, detection relies on monitoring for suspicious child processes spawned by the Gogs service or specific Git command line arguments.

Sigma Rules

YAML
---
title: Gogs Argument Injection via Git Rebase Exec
id: a1b2c3d4-5678-490a-bcde-123456789012
status: experimental
description: Detects potential argument injection in Gogs via suspicious git rebase commands containing the --exec flag.
references:
 - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/git'
    CommandLine|contains:
      - 'rebase'
      - '--exec'
  condition: selection
falsepositives:
  - Legitimate administrative use of git rebase --exec (rare in automated services)
level: critical
---
title: Web Server Spawning Shell via Git Service
id: b2c3d4e5-6789-490a-bcde-234567890123
status: experimental
description: Detects Gogs or Go web server spawning a shell or suspicious binary, indicative of successful RCE.
references:
 - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/gogs'
      - '/go' # if running from source
  selection_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/nc'
      - '/curl'
      - '/wget'
  condition: all of selection_*
falsepositives:
  - Administrative troubleshooting on the Gogs server
level: high


**KQL (Microsoft Sentinel / Defender)**

Hunts for the specific argument injection pattern in process creation logs. Note: This requires Linux endpoints forwarding auditd/sysmon data to Sentinel.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ "git.exe" or ProcessName =~ "git"
| where ProcessCommandLine contains "rebase" and ProcessCommandLine contains "--exec"
| extend HostName = DeviceName, Account = AccountName
| project Timestamp, HostName, Account, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


**Velociraptor VQL**

Hunt for running processes on the Gogs server that exhibit the exploitation behavior.

VQL — Velociraptor
-- Hunt for git rebase processes with the --exec flag
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()\WHERE Name =~ 'git'
  AND CommandLine =~ 'rebase'
  AND CommandLine =~ '--exec'


**Remediation Script (Bash)**

This script provides immediate hardening by disabling open registration (reducing the attack surface to internal users only) and checking for the Gogs process owner to scope your hunts.

Bash / Shell
#!/bin/bash

# Gogs Emergency Hardening Script
# Usage: sudo ./gogs_hardening.sh

echo "[+] Starting Gogs Hardening Checks..."

# 1. Locate Gogs configuration file (common paths)
GOGS_CONF_PATHS=("/etc/gogs/conf/app.ini" "/opt/gogs/custom/conf/app.ini" "/home/git/gogs/custom/conf/app.ini")
CONFIG_FOUND=""

for path in "${GOGS_CONF_PATHS[@]}"; do
  if [ -f "$path" ]; then
    CONFIG_FOUND="$path"
    break
  fi
done

if [ -z "$CONFIG_FOUND" ]; then
  echo "[!] ERROR: Gogs configuration file (app.ini) not found in common locations."
  echo "    Please manually verify DISABLE_REGISTRATION in your app.ini."
  exit 1
fi

echo "[+] Found Gogs configuration at: $CONFIG_FOUND"

# 2. Check and Disable Open Registration
echo "[+] Checking DISABLE_REGISTRATION setting..."
if grep -q "^DISABLE_REGISTRATION.*=.*false" "$CONFIG_FOUND"; then
  echo "[!] WARNING: Open registration is ENABLED."
  read -p "    Do you want to disable registration now? (y/n) " -n 1 -r
  echo
  if [[ $REPLY =~ ^[Yy]$ ]]; then
    sed -i 's/^DISABLE_REGISTRATION.*/DISABLE_REGISTRATION = true/' "$CONFIG_FOUND"
    echo "[+] Hardening applied: Registration disabled."
    echo "[!] ACTION REQUIRED: Restart the Gogs service to apply changes."
  else
    echo "[-] Skipped configuration change."
  fi
elif grep -q "^DISABLE_REGISTRATION.*=.*true" "$CONFIG_FOUND"; then
  echo "[+] Good: Registration is already disabled."
else
  echo "[!] NOTICE: DISABLE_REGISTRATION setting not explicitly found or commented out."
  echo "    Appending 'DISABLE_REGISTRATION = true' to configuration."
  echo "" >> "$CONFIG_FOUND"
  echo "[server]" >> "$CONFIG_FOUND"
  echo "DISABLE_REGISTRATION = true" >> "$CONFIG_FOUND"
  echo "[+] Hardening applied. Restart Gogs service."
fi

# 3. Identify Gogs service user for hunting scope
echo "[+] Identifying Gogs process owner..."
PGOGS=$(ps aux | grep '[g]ogs' | awk '{print $1}' | head -n 1)
if [ -n "$PGOGS" ]; then
  echo "[+] Gogs is running as user: $PGOGS"
  echo "    Scope your threat hunts to processes spawned by user '$PGOGS'."
else
  echo "[-] Gogs process not currently detected as running."
fi

echo "[+] Hardening script complete."


---

Remediation

As of this publication, there is no official patch available for this vulnerability. Security teams must implement the following mitigations immediately:

  1. Disable Open Registration (Immediate): Edit your app.ini file (usually located in /custom/conf/app.ini) and ensure the following setting is active: ini [server] DISABLE_REGISTRATION = true

    Restart the Gogs service to apply changes. This limits the attack surface to existing trusted users.

  2. Disable Pull Request Functionality (Workaround): If possible, temporarily disable Pull Request capabilities in your Gogs instance until a patch is released. This breaks the attack chain by preventing the "Rebase before merging" action.

  3. Network Segmentation & Access Control: Ensure Gogs instances are not exposed directly to the public internet. Place them behind a VPN or strict IP allow-lists.

  4. Audit Active Users: Review your user base for any recently created accounts that were not authorized by your administration team.

  5. Monitor Vendor Communications: Monitor the official Gogs repository and the Rapid7 advisory for the release of a security patch. Apply the patch immediately upon availability.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuregogsargument-injectionrce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action