CVE-2025-64111 in Gogs
Summary
by MITRE • 02/06/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2025-64111 affects Gogs, an open source self-hosted Git service that provides distributed version control capabilities for organizations seeking to maintain their own Git repositories without relying on external services. This issue represents a critical security flaw that emerged from inadequate remediation of a previous vulnerability, specifically CVE-2024-56731, which demonstrates the importance of comprehensive security patching and validation. The vulnerability exists in Gogs versions 0.13.3 and earlier, creating a persistent risk for organizations that have not upgraded to the patched versions 0.13.4 or 0.14.0+dev.
The technical flaw stems from insufficient restrictions on file operations within the .git directory structure, which is fundamental to Git's operation and contains all repository metadata, object database, and configuration information. Attackers can exploit this weakness to manipulate files within the .git directory, potentially allowing them to inject malicious code or modify critical Git operations. This vulnerability operates at the core of Git's file system interaction mechanisms and leverages the trust model inherent in Git repository management. The flaw specifically permits unauthorized modification of .git directory contents, which can lead to arbitrary code execution when the Git service processes these manipulated files during normal operations. This represents a classic privilege escalation vulnerability that can be exploited through carefully crafted repository operations or file uploads that bypass normal access controls.
The operational impact of this vulnerability is severe and far-reaching for organizations using vulnerable Gogs installations. Remote command execution capabilities enable attackers to gain complete control over affected systems, potentially leading to data breaches, service disruption, and lateral movement within network environments. The .git directory contains critical repository information including commit history, object references, and configuration settings that when compromised can result in complete repository corruption or unauthorized access to sensitive source code. Organizations relying on Gogs for code management and version control face significant risk of exposure to malicious actors who can exploit this vulnerability to execute arbitrary commands on the host system, potentially leading to full system compromise. The vulnerability's persistence across multiple minor versions indicates a fundamental flaw in the patching process and highlights the importance of thorough security validation before releasing updates.
Mitigation strategies for this vulnerability require immediate action to upgrade affected Gogs installations to versions 0.13.4 or 0.14.0+dev where the issue has been properly addressed. Organizations should conduct comprehensive vulnerability assessments to identify all instances of vulnerable Gogs installations within their infrastructure and implement immediate patching procedures. Network segmentation and access controls should be strengthened to limit exposure while patches are deployed, particularly restricting access to Git repositories from untrusted networks. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) in the Common Weakness Enumeration catalog, demonstrating the intersection of path traversal and command injection vulnerabilities. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) as attackers can leverage the remote execution capability to escalate privileges and maintain persistence within compromised systems. Security teams should implement monitoring for suspicious Git operations and file system modifications in .git directories to detect potential exploitation attempts. The vulnerability underscores the critical importance of maintaining up-to-date software versions and implementing proper security validation processes to ensure that patches effectively address the root causes of security issues rather than merely superficial symptoms.