Gogs Pathspec Flaw Lets Malicious Filenames Break Repository and Wiki Pages
Gogs disclosed a denial-of-service vulnerability, CVE-2025-64719, affecting gogs.io/gogs versions 0.14.2 and earlier. A malicious user with permission to create a new repository file or wiki entry can use a specially crafted filename containing Git pathspec-related characters to trigger persistent HTTP 500 errors on repository index and wiki listing pages. Public details in GitHub advisory GHSA-3qq3-668m-v9mj show a proof of concept using the filename:
[]
The flaw stems from commit information recovery logic in internal/route/repo/view.go and internal/route/repo/wiki.go, including a case where commits[0] may be dereferenced without confirming a valid value exists. The impact is limited to availability of the affected repository or wiki pages in the web interface; command-line Git operations are not affected, and the issue does not enable code execution or data theft. Gogs reported the bug was fixed in a release published on 2026-06-07, with public disclosure following on 2026-06-19.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Gogs DoS vulnerability reported privately
The disclosure timeline states that the denial-of-service vulnerability in Gogs was reported in November 2025. The issue affects repository and wiki listing pages when crafted filenames trigger Git pathspec handling errors.
GitHub advisory publicly discloses Gogs DoS flaw
On 2026-06-19, the vulnerability was publicly disclosed via GitHub Security Advisory GHSA-3qq3-668m-v9mj. The advisory described a proof of concept using the filename "[]" and said the impact was limited to the affected repository or wiki web interface.
Gogs fixes CVE-2025-64719 in a release
The disclosure timeline says the vulnerability was fixed in a release on 2026-06-07. The flaw affected Gogs 0.14.2 and earlier and could cause persistent HTTP 500 errors on repository or wiki index pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Arbitrary File Deletion Flaw in Gogs Wiki Update Enables Path Traversal
Gogs disclosed a security advisory for an **arbitrary file deletion** vulnerability in its wiki page update functionality, tracked as `GHSA-jp7c-wj6q-3qf2`. The flaw stems from a **path traversal** issue that can let an attacker manipulate file paths during wiki updates and delete files outside the intended directory, creating a risk to repository integrity and server-side data stored by the self-hosted Git service. A public repository referencing `CVE-2026-24135` later documented the same issue as an arbitrary file deletion bug in Gogs caused by wiki path traversal, indicating that technical details are now publicly accessible. Organizations running Gogs should review exposed wiki features, assess whether untrusted users can modify wiki content, and prioritize vendor guidance and patching to prevent unauthorized deletion of application or system files.
May 25, 2026
Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched **zero-day** in the self-hosted Git service **Gogs** that allows **authenticated remote code execution** through argument injection in the pull request rebase workflow. The flaw affects current releases including `0.14.2` and `0.15.0+dev`, and likely earlier versions that support rebase merging. An attacker can abuse the **"Rebase before merging"** feature by supplying a malicious branch name that is passed into a `git rebase` command without a proper option separator, enabling use of Git's `--exec` flag to run attacker-controlled shell commands as the Gogs server process user. The issue is rated **CVSSv4 9.4** and is considered especially dangerous on default-configured instances because **open registration** and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed **Gitea** flaw, `CVE-2026-27771`, that can expose private container images without authentication on versions prior to `1.26.2`.
Jun 8, 2026
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Mar 21, 2026