Login Sign Up

CVE-2024-54148

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Gogs allows a malicious user to commit a crafted symlink file to a repository, potentially gaining SSH access to the server. All Gogs instances running vulnerable versions are affected, particularly those with user repositories enabled. Attackers could achieve remote code execution on the Gogs server.

💻 Affected Systems

Products:
  • Gogs
Versions: All versions before 0.13.1
Operating Systems: All platforms running Gogs
Default Config Vulnerable: ⚠️ Yes
Notes: All Gogs installations with repository functionality enabled are vulnerable. The vulnerability requires user repository access to exploit.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with SSH access, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Unauthorized SSH access leading to repository manipulation, data theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access to commit to a repository. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.1

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to version 0.13.1 or later. 4. Restart the Gogs service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable repository creation

all

Temporarily disable user repository creation to prevent exploitation

Edit app.ini and set ENABLE_USER_REPOSITORIES = false

Restrict SSH access

linux

Limit SSH access to Gogs server using firewall rules

iptables -A INPUT -p tcp --dport 22 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

  • Implement strict access controls and monitor repository activity for suspicious symlink creation
  • Isolate Gogs server from critical systems and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Gogs version in admin panel or via command line. If version is below 0.13.1, the system is vulnerable.

Check Version:

./gogs --version or check admin dashboard

Verify Fix Applied:

After updating, verify version is 0.13.1 or higher and test that symlink files cannot be used to gain SSH access.

📡 Detection & Monitoring

Log Indicators:

  • Unusual symlink file commits in repository logs
  • Failed SSH authentication attempts from unexpected sources
  • Repository activity from suspicious users

Network Indicators:

  • Unexpected SSH connections to Gogs server
  • Network traffic patterns indicating data exfiltration

SIEM Query:

source="gogs" AND (symlink OR "symbolic link") AND commit

📊 Metadata

CVE ID: CVE-2024-54148
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: December 23, 2024
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54148, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)