Overview
- Rapid7 researchers privately reported the argument-injection bug to Gogs maintainers in mid-March and the issue was acknowledged on March 28, but no patch had been released by the public disclosure on May 28.
- The flaw lets any authenticated user trigger git rebase's --exec flag by creating a pull request with a malicious branch name so the server runs attacker-supplied commands as the Gogs process.
- Because Gogs ships with open registration and unlimited repo creation by default, an attacker can create an account and repository on many instances and exploit the bug without admin privileges or other users' interaction.
- Rapid7 released a Metasploit module on May 28 that automates the exploit for Linux and Windows targets, and internet scans report roughly 1,000 to 2,400+ Gogs servers exposed online, increasing the chance of rapid abuse.
- Operators should immediately disable open registration, restrict repository creation, and audit or disable rebase-before-merge settings while waiting for an official patch; the bug follows a recent pattern of argument-injection RCEs in self-hosted Git services and a previously patched Gogs RCE earlier this year.