Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.

### Patches

Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

### Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

### References

https://www.cve.org/CVERecord?id=CVE-2024-39932

Affected Packages

Go gogs.io/gogs

Affected versions: 0 (fixed in 0.13.1)

Related CVEs

CVE-2024-39932

Key Information

GHSA ID

GHSA-9pp6-wq8c-3w2c

Published

December 23, 2024 8:38 PM

Last Modified

December 23, 2024 8:38 PM

CVSS Score

9.0 /10

Primary Ecosystem

Primary Package

gogs.io/gogs

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.