Overview
- Rapid7 publicly disclosed the argument-injection zero-day on May 28–29 and said the flaw was reported to Gogs maintainers in mid‑March with an acknowledgement on March 28.
- The bug lets any authenticated user inject the git rebase --exec flag via a malicious branch name during a ‘Rebase before merging’ operation to execute arbitrary commands as the Gogs server process user.
- Successful exploitation can let attackers read all repositories on an instance, dump credentials and keys, modify hosted code, and pivot to other systems, creating supply-chain and data-breach risks.
- Rapid7 released a Metasploit module and IoCs that automate the full exploit chain and speed both attacks and defensive hunting while thousands of default-configured, internet-facing Gogs instances remain exposed.
- Until a vendor patch is published defenders should disable open registration, restrict repository creation, audit or disable rebase-before-merge settings, and use the published IoCs to hunt for compromises.