Triple Threat: Critical Gogs Flaws (CVSS 9.3) Allow RCE & 2FA Bypass

A triple threat of security vulnerabilities has been uncovered in Gogs, the popular self-hosted Git service known for its lightweight footprint. The flaws, tracked as CVE-2025-64111, CVE-2025-64175, and CVE-2026-24135, expose installations to a range of attacks, from remote code execution to total account takeover.

The most critical of the bunch is CVE-2025-64111, which carries a CVSS score of 9.3. This vulnerability allows attackers to execute remote commands by tampering with the repository’s configuration files.

The issue stems from an “insufficient patch” for a previous vulnerability. “It’s still possible to update files in the .git directory and achieve remote command execution,” the advisory explains. By bypassing security checks in the UpdateRepoFile function, an attacker can modify the .git/config file via the API, turning a standard repository update into a system compromise.

The second flaw, CVE-2025-64175 (CVSS 7.7), strikes at the heart of user authentication. In versions 0.13.3 and prior, Gogs failed to properly scope 2FA recovery codes to specific users.

“If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA,” the advisory warns.

This “cross-account bypass” renders Two-Factor Authentication (2FA) effectively useless against an attacker with stolen credentials, allowing for full account takeover.

The third flaw is CVE-2026-24135 (CVSS 7.2), a path traversal vulnerability in the wiki update feature. This flaw allows an authenticated user to delete arbitrary files on the server by manipulating the old_title parameter during a rename operation.

“The os.Remove function will resolve the path relative to the wiki’s local directory and delete the target file,” the advisory states.

While the vulnerability is somewhat limited by the file extension (it appends .md to the target), the impact can still be significant, leading to denial of service or the loss of critical documentation.

The maintainers have addressed these issues in updated versions.

• CVE-2025-64175 (2FA Bypass) and CVE-2026-24135 (File Deletion) are fixed in versions 0.13.4 and 0.14.0+dev.

Administrators running Gogs are strongly advised to upgrade immediately to the latest release to close these doors before they can be exploited.

Related Posts:

• Unpatched Gogs Vulnerabilities: A Ticking Time Bomb for Source Code
• Gogs Zero-Day (CVE-2025-8110) Risks RCE for 700+ Servers via Symlink Path Traversal Bypass
• Behind the Commit: CVSS 10.0 Bug Lets Attackers Hijack Gogs Servers
• CISA “Must-Patch” Alert: Critical Gogs Exploit CVE-2025-8110 Active in Wild