CVE-2025-64111 – This vulnerability allows attackers to modify f... (How to Fix)

Q: What is the severity of CVE-2025-64111?

CVE-2025-64111 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to modify files in the .git directory of Gogs installations, potentially leading to remote command execution. It affects Gogs versions 0.13.3 and earlier due to an insufficient patch for a previous vulnerability. Organizations running vulnerable Gogs instances are at risk.

📋 TL;DR

This vulnerability allows attackers to modify files in the .git directory of Gogs installations, potentially leading to remote command execution. It affects Gogs versions 0.13.3 and earlier due to an insufficient patch for a previous vulnerability. Organizations running vulnerable Gogs instances are at risk.

💻 Affected Systems

Products:

Gogs

Versions: 0.13.3 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Gogs server with full remote command execution, allowing attackers to steal source code, deploy malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, installation of backdoors, or disruption of Git services.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Based on the advisory, exploitation appears to be unauthenticated and relatively straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.4 or 0.14.0+dev

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Download Gogs version 0.13.4 or later from the official repository. 3. Stop the Gogs service. 4. Replace the existing Gogs binary with the new version. 5. Restart the Gogs service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Gogs instance to trusted IP addresses only

# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Gogs from critical systems
Deploy a web application firewall (WAF) with rules to detect and block .git directory manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Gogs version by accessing the web interface or running: ./gogs --version

Check Version:

./gogs --version

Verify Fix Applied:

Confirm the version is 0.13.4 or later and test that .git directory modifications are properly restricted

📡 Detection & Monitoring

Log Indicators:

Unusual file modification patterns in .git directory
Failed authentication attempts followed by file operations
Commands executed via web hooks or Git operations

Network Indicators:

Unusual HTTP requests targeting .git paths
Suspicious Git operations from unexpected sources

SIEM Query:

source="gogs" AND (path="*.git*" OR command="*sh*" OR command="*bash*")

📊 Metadata

CVE ID: CVE-2025-64111

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.12% exploit probability (31.3th percentile)

Published: February 6, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64111, you might also want to check these: