Login Sign Up

CVE-2024-56731

10.0 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unprivileged users in Gogs to delete files in the .git directory, leading to remote command execution. Attackers can execute arbitrary commands with the privileges of the RUN_USER account, potentially compromising all code hosted on the instance. All Gogs instances prior to version 0.13.3 are affected.

💻 Affected Systems

Products:
  • Gogs
Versions: All versions prior to 0.13.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations with unprivileged user accounts are vulnerable. The RUN_USER configuration determines privilege level for exploitation.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Gogs server, allowing attackers to execute arbitrary commands, access and modify all hosted repositories, steal credentials, and pivot to other systems.

🟠

Likely Case

Unauthorized access to repositories, code theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are applied, though the vulnerability still allows repository access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires an unprivileged user account. The vulnerability is a follow-up to CVE-2024-39931 with an insufficient patch.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.3

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Download Gogs 0.13.3 from the official releases. 3. Stop the Gogs service. 4. Replace the existing Gogs binary with the new version. 5. Restart the Gogs service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable user registration

all

Prevent new unprivileged user accounts from being created to reduce attack surface.

Edit app.ini and set DISABLE_REGISTRATION = true under [service] section

Network isolation

all

Restrict Gogs access to trusted networks only.

Configure firewall rules to limit access to Gogs port (typically 3000)

🧯 If You Can't Patch

  • Implement strict network access controls to limit Gogs exposure
  • Monitor for suspicious activity and implement enhanced logging

🔍 How to Verify

Check if Vulnerable:

Check Gogs version via web interface or by running the Gogs binary with --version flag.

Check Version:

./gogs --version

Verify Fix Applied:

Confirm version is 0.13.3 or later and test that unprivileged users cannot delete .git directory files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion patterns in .git directories
  • Unexpected command execution logs
  • Failed authentication attempts followed by successful operations

Network Indicators:

  • Unusual outbound connections from Gogs server
  • Unexpected SSH or command execution traffic

SIEM Query:

source="gogs.log" AND ("delete" OR "rm" OR "exec") AND ".git"

📊 Metadata

CVE ID: CVE-2024-56731
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-552
EPSS Score: 0.73% exploit probability (72.2th percentile)
Published: June 24, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56731, you might also want to check these:

CVE-2025-41240 10.0

This critical vulnerability allows unauthenticated remote attackers to access Kubernetes secrets via...

Same vulnerability type (CWE-552)
CVE-2024-6209 10.0

This vulnerability allows attackers to access files without authorization in ABB ASPECT-Enterprise, ...

Same vulnerability type (CWE-552)
CVE-2023-5199 9.9

The PHP to Page WordPress plugin has a Local File Inclusion vulnerability that can lead to Remote Co...

Same vulnerability type (CWE-552)