Gogs has released a patch to address a critical zero-day vulnerability that has not yet been assigned a CVE identifier. The flaw is an Argument Injection vulnerability that could allow attackers to execute code remotely on affected servers. The vulnerability affects all Gogs versions up to 0.14.2, including 0.15.0+dev, and has been fixed in version 0.14.3.
Reports indicate that attackers with a regular user account, without requiring administrator privileges, could exploit the vulnerability to access both public and private repositories, steal sensitive information, modify source code, or use it as an initial foothold to move laterally within the network. However, if the system uses default settings that allow new account registration and do not limit the number of repositories a user can create, attackers could create their own account and repository to carry out the attack.
Administrators using Gogs should promptly update to version 0.14.3 or later. If immediate updating is not possible, they should disable new user registration, restrict repository creation permissions, and review the rebase merge settings for each repository to reduce the risk of exploitation through this vulnerability.