← Back to CVEs
CVE-2024-56731
CRITICAL10.0
Description
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
CVE Details
CVSS v3.1 Score10.0
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published6/24/2025
Last Modified8/21/2025
Sourcenvd
Honeypot Sightings0
Affected Products
gogs:gogs
Weaknesses (CWE)
CWE-552
References
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9(security-advisories@github.com)
https://github.com/gogs/gogs/releases/tag/v0.13.3(security-advisories@github.com)
https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.