A zero-day argument injection vulnerability in Gogs, the self-hosted Git service, allows authenticated attackers to achieve remote code execution on any internet-facing instance running the latest release versions, with no patch currently available. Rapid7 senior security researcher Jonah Burges discovered the flaw, reported it to the Gogs maintainers on March 17, and received an acknowledgement on March 28, but has had no further response and no fix has been issued. Shadowserver is now tracking over 2,400 Gogs servers exposed online, the majority of them in Asia and Europe, according to BleepingComputer.
There is no patch. That's the starting point. The Gogs maintainers have had this report for over two months and haven't shipped a fix or communicated a timeline. In the meantime, Burges has gone public, which means the vulnerability details are now available to anyone who wants them. The window between researcher disclosure and attacker exploitation is typically measured in hours, not weeks.
The blast radius here is significant. Successful exploitation doesn't just give an attacker a foothold on the Gogs server itself. It lets them read every repository on the instance, including other users' private repos, dump credentials including password hashes, API tokens, SSH keys, and 2FA secrets, pivot to other network-accessible systems, and modify hosted repository code. If your Gogs instance holds source code for internal tooling, infrastructure-as-code, or anything touching production, that's the entire software supply chain exposed from a single exploit chain that requires no admin privileges.
This also isn't the first time Gogs has been through this cycle. CVE-2025-8110, a different RCE vulnerability, was exploited in zero-day attacks before a patch was available, compromising hundreds of servers. CISA added it to its Known Exploited Vulnerabilities catalogue in January and ordered Federal Civilian Executive Branch agencies to remediate by February 2. The current unpatched flaw affects a different code path entirely, one that wasn't addressed by any of the previous patches for related argument injection bugs including CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930. History strongly suggests this class of vulnerability in Gogs attracts active exploitation once it becomes public knowledge.
The vulnerability affects Gogs 0.14.2 and 0.15.0+dev, which are the latest release versions. There is no patched version to upgrade to.
Default configurations make exposure far worse than it would otherwise be. Gogs ships with open registration enabled by default, meaning DISABLE_REGISTRATION is set to false, and no limit on repository creation, meaning MAX_CREATION_LIMIT is set to -1. Burges confirmed the vulnerability affects all Gogs servers with default configurations. Because anyone can register an account on an open-registration instance, any repository owner can trigger the exploit without interaction from any other user. The authentication requirement that might otherwise limit the attack surface is effectively nullified on default-configured servers.
The exploitation path runs through pull requests that use a malicious branch name to inject the --exec flag into git rebase during the "Rebase before merging" merge operation. Any instance with rebase merging enabled is directly in scope. Shadowserver's tracking puts the global exposure at over 2,400 internet-facing servers, with 1,894 in Asia and 319 in Europe. Sectors most likely to be running self-hosted Gogs include development-heavy organisations, government bodies managing internal code repositories, financial institutions with air-gap or compliance requirements that led them away from SaaS-based Git platforms, and any enterprise that deployed Gogs as a lightweight GitHub Enterprise alternative.
Disable open registration immediately. Set DISABLE_REGISTRATION = true in your Gogs configuration file. This prevents unauthenticated attackers from creating an account and using it to exploit the vulnerability. It doesn't eliminate risk for instances where untrusted users already have accounts, but it closes the most accessible entry point.
Restrict repository creation. Set MAX_CREATION_LIMIT = 0 or a specific low integer in your configuration to prevent arbitrary users from creating repositories and enabling the rebase merge setting required to trigger exploitation. This directly disrupts the exploit chain Burges documented.
Disable rebase merging. The exploit requires the "Rebase before merging" merge operation to be enabled. Review repository settings across all hosted repositories and disable this option where it isn't operationally required. This is a targeted control that targets the specific vulnerable code path in the Merge() function.
Take internet-exposed instances offline or restrict access. If your Gogs instance doesn't need to be publicly accessible, pull it behind a VPN or restrict it to specific IP ranges now. With no patch available and full technical details public, leaving a default-configured instance exposed to the internet is an unacceptable risk. Shadowserver's data shows over 2,400 servers are currently reachable, and that number is a target list.
Audit existing users, credentials, and repository access. Given that CVE-2025-8110 resulted in active exploitation of hundreds of servers before it was patched, it's worth checking whether your instance may already have been targeted. Review user account creation logs for unexpected registrations, examine access logs for unusual pull request or merge activity, and consider rotating API tokens and SSH keys stored in the instance as a precaution.
No. The flaw can be exploited by any authenticated user without admin privileges. Because Gogs ships with open registration enabled by default, an attacker can create their own account on any default-configured internet-facing instance, making the authentication requirement largely ineffective as a barrier.
No. As of the time of writing, no patch exists. The Gogs maintainers acknowledged Burges's report on March 28 but haven't released a fix or provided a status update. You'll need to apply configuration-level mitigations while waiting for a patch to be issued.
Both are RCE vulnerabilities in Gogs, but they affect different code paths. This new flaw affects the Merge() function, which was never addressed by previous patches. Burges notes it's similar in class to CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930, all of which were patched, but this particular path wasn't included.
Shadowserver is tracking over 2,400 internet-facing Gogs servers, with 1,894 in Asia and 319 in Europe. Shodan found just over 1,000 IP addresses with a Gogs fingerprint. Many of these are likely running default configurations with open registration enabled, making them directly exploitable without any prior account.
