Attackers can execute commands remotely and circumvent two-factor authentication thanks to a serious vulnerability in Gogs, a lightweight self-hosted Git service. Many businesses that use Gogs for private code hosting are impacted by this important problem. Overview of Vulnerabilities CVE-2025-64111, an OS command injection vulnerability with a CVSS score of 9.3, affects Gogs versions up to 0.13.3.

It results from an unfinished patch for an earlier flaw that allowed attackers to use the repository PUT contents API to update.git/config files. In order to cause remote code execution (RCE) on the server, attackers first create a symlink to.git/config, push it, and then use the API to inject malicious Git config, such as SSH commands. An attacker with push access to the repository first adds a symlink: ln -s.git/config link, commits, and pushes it.

Then, using base64-encoded malicious configuration, like sshCommand = touch /tmp/abc or custom remotes, they send a PUT request to /api/v1/repos/{owner}/{repo}/contents/link. By writing to.git/config and initiating RCE on Git operations, the API's UpdateRepoFile circumvents important security checks. Additional risks that Gogs faces include CVE-2025-64175 (CVSS 7.7), a 2FA bypass that allows attackers to use their own recovery codes for any user's login if they know the credentials.

Through wiki path traversal, another vulnerability, CVE-2026-24135 (CVSS 7.2), permits authenticated file deletion.

Patched Versions CWE CVE-2025-64111 Affected Versions CVE ID Severity (CVSS) Description Critical (9.3) RCE via.git/config update in API <=0.13.3 0.13.4, 0.14.0+dev 78 CVE-2025-64175 High (7.7) 2FA recovery code cross-account bypass <=0.13.3 0.13.4, 0.14.0+dev N/A CVE-2026-24135 High (7.2) Wiki path traversal file deletion <=0.13.3 0.13.4, 0.14.0+dev N/A Update to Gogs 0.13.4 or 0.14.0+dev right away. Enforce strict authentication, disable public repository access, and keep an eye on API endpoints. To avoid these problems, think about switching to Gitea, an active Gogs fork.

Although there are currently no public exploits, the PoC makes weaponization simple. This vulnerability draws attention to the dangers of self-hosted Git tools. In development environments, timely patching stops server takeovers.