Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:LGogs
APPGogs< 0.14.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2025-64111CRITICAL9.3PL ✓ten sam produkt
Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git
CVE-2024-56731CRITICAL10.0PL ✓ten sam produkt
Gogs: RCE przez usuwanie plików w katalogu .git (bypass patcha CVE-2024-39931)
CVE-2022-1884CRITICAL9.8PL ✓ten sam produkt
RCE w Gogs poprzez command injection w parametrze tree_path (Windows)
CVE-2024-39930CRITICAL9.9PL ✓ten sam produkt
Argument injection w serwerze SSH Gogs prowadzący do RCE
CVE-2024-39931CRITICAL9.9PL ✓ten sam produkt
Gogs – nieautoryzowane usuwanie plików wewnętrznych (CWE-552)