Loading HuntDB...

GHSA-ccqv-43vm-4f3w

GitHub Security Advisory

Gogs allows deletion of internal files

✓ GitHub Reviewed CRITICAL Has CVE

Advisory Details

### Impact

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

### Patches

Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

### Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

### References

https://www.cve.org/CVERecord?id=CVE-2024-39931

Affected Packages

Go gogs.io/gogs
Affected versions: 0 (fixed in 0.13.1)

Related CVEs

Key Information

GHSA ID
GHSA-ccqv-43vm-4f3w
Published
December 23, 2024 8:38 PM
Last Modified
December 23, 2024 8:38 PM
CVSS Score
9.0 /10
Primary Ecosystem
Go
Primary Package
gogs.io/gogs
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.