Login Sign Up

CVE-2024-39930

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Gogs servers by exploiting argument injection in the built-in SSH server. It affects Gogs installations with the built-in SSH server enabled, specifically versions through 0.13.0. Windows installations are not vulnerable.

💻 Affected Systems

Products:
  • Gogs
Versions: through 0.13.0
Operating Systems: Linux, Unix-based systems
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when built-in SSH server is enabled. Windows installations are unaffected.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to repository manipulation, credential theft, and potential access to connected systems.

🟢

If Mitigated

Limited impact if SSH server is disabled or proper network segmentation prevents access to vulnerable service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated SSH access. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.0 and later

Vendor Advisory: https://github.com/gogs/gogs/releases

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Download Gogs 0.14.0 or later from official releases. 3. Stop the Gogs service. 4. Replace the binary with the patched version. 5. Restart the Gogs service. 6. Verify the version is 0.14.0 or higher.

🔧 Temporary Workarounds

Disable built-in SSH server

linux

Disable the vulnerable SSH server component and use external SSH solutions

Edit app.ini configuration file and set DISABLE_SSH = true
Restart Gogs service

Network access control

all

Restrict SSH access to trusted IP addresses only

Configure firewall rules to limit SSH port access
Use network segmentation to isolate Gogs server

🧯 If You Can't Patch

  • Disable built-in SSH server immediately and use external SSH solutions
  • Implement strict network segmentation and firewall rules to limit SSH access to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if Gogs version is 0.13.0 or earlier AND built-in SSH server is enabled in configuration

Check Version:

./gogs --version or check web interface admin panel

Verify Fix Applied:

Verify Gogs version is 0.14.0 or later using version check command

📡 Detection & Monitoring

Log Indicators:

  • Unusual SSH connection patterns
  • Malformed SSH requests with --split-string env parameters
  • Unexpected process execution from Gogs SSH service

Network Indicators:

  • SSH connections to Gogs server followed by unusual outbound connections
  • Traffic patterns indicating command execution

SIEM Query:

source="gogs" AND ("--split-string" OR "env request" OR "SSH argument injection")

📊 Metadata

CVE ID: CVE-2024-39930
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-88
Published: July 4, 2024
Last Updated: April 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39930, you might also want to check these:

CVE-2023-6269 10.0

An argument injection vulnerability in Atos Unify OpenScape SBC, Branch, and BCF products allows una...

Same vulnerability type (CWE-88)
CVE-2024-47553 9.9

This vulnerability in Siemens SINEC Security Monitor allows authenticated low-privileged remote atta...

Same vulnerability type (CWE-88)
CVE-2021-3401 9.8

This vulnerability in Bitcoin Core could allow remote code execution when malicious arguments are pa...

Same vulnerability type (CWE-88)