CVE-2025-64175
📋 TL;DR
Gogs versions 0.13.3 and earlier have a critical authentication bypass vulnerability where 2FA recovery codes are not scoped to specific users. An attacker who knows a victim's credentials can use any unused recovery code from any account to bypass the victim's 2FA protection, leading to full account takeover. This affects all Gogs deployments with 2FA enabled.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user where the attacker has obtained credentials, allowing data theft, repository manipulation, and administrative access if targeting admin accounts.
Likely Case
Targeted attacks against specific users where credentials have been compromised through phishing or credential stuffing, leading to unauthorized access to private repositories and sensitive data.
If Mitigated
Limited impact if strong password policies, credential monitoring, and network segmentation are in place, though 2FA remains ineffective.
🎯 Exploit Status
Exploitation requires valid username/password credentials for the target account plus any unused recovery code from any account. No technical exploit code needed beyond basic HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.4 or 0.14.0+dev
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Download the patched version from https://gogs.io. 3. Stop the Gogs service. 4. Replace the binary with the new version. 5. Restart the Gogs service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Disable 2FA Recovery Codes
allTemporarily disable 2FA recovery code functionality to prevent exploitation while planning upgrade.
Not applicable - requires code modification
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Gogs instance to trusted users only.
- Enforce strong password policies and monitor for credential compromise through security tools.
🔍 How to Verify
Check if Vulnerable:
Check Gogs version via web interface admin panel or by examining the binary version. If version is 0.13.3 or earlier and 2FA is enabled, the system is vulnerable.Check Version:
Check web interface at /admin or run: ./gogs --versionVerify Fix Applied:
After patching, verify the version shows 0.13.4 or higher in the admin panel. Test 2FA login flow with recovery codes to confirm proper user scoping.📡 Detection & Monitoring
Log Indicators:
- Multiple failed 2FA attempts followed by successful login with recovery code
- Recovery code usage from IP addresses not associated with the account owner
- Login events where 2FA was bypassed unexpectedly
Network Indicators:
- Unusual authentication patterns to /user/login2fa endpoint
- Recovery code submission requests from unexpected sources
SIEM Query:
source="gogs" AND (event="2fa_recovery_used" OR message="recovery code") | stats count by user, src_ip