GHSA-MRPH-W4HH-GX3G
Vulnerability from github – Published: 2026-02-06 18:14 – Updated: 2026-02-06 19:06
VLAI?
Summary
Gogs has arbitrary file read/write via Path Traversal in Git hook editing
Details
Vulnerability Description
In the endpoint:
/username/reponame/settings/hooks/git/:name
the :name parameter:
- Is URL-decoded by macaron routing, allowing decoded slashes (
/) - Is then passed directly to:
git.Repository.Hook("custom_hooks", name)
which internally resolves the path as:
filepath.Join(repoPath, "custom_hooks", name)
Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.
As a Result:
- GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).
- POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).
Attack Prerequisites
- The attacker is an authenticated user
- The attacker has Admin or higher privileges on the target repository
- The attacker has the AllowGitHook permission (or is a site administrator)
- The target file is readable/writable by the Gogs process OS permissions
Attack Scenario
- An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL
- A path containing
../is supplied in:name, fully URL-encoded using%2f - The server resolves
custom_hooks/../../...without validation - Arbitrary file contents are displayed and existing files can be overwritten
Potential Impact
- Sensitive information disclosure:
app.ini, databases, logs, environment variables, etc. - Configuration or data tampering: Overwriting existing files
- Secondary impact: Extraction of
SECRET_KEYand database credentials may allow token forging or further compromise
Severity ?
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.13.3"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23633"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T18:14:51Z",
"nvd_published_at": "2026-02-06T18:15:56Z",
"severity": "MODERATE"
},
"details": "## Vulnerability Description\n\nIn the endpoint:\n\n```\n/username/reponame/settings/hooks/git/:name\n```\n\nthe `:name` parameter:\n\n* Is URL-decoded by **macaron routing**, allowing decoded slashes (`/`)\n* Is then passed directly to:\n\n```go\ngit.Repository.Hook(\"custom_hooks\", name)\n```\n\nwhich internally resolves the path as:\n\n```go\nfilepath.Join(repoPath, \"custom_hooks\", name)\n```\n\nBecause no path sanitization is applied, supplying `../` sequences allows access to **arbitrary paths outside the repository**.\n\n### As a Result:\n\n* **GET:** Arbitrary file contents are displayed in the hook edit page textarea (**Local File Inclusion**).\n* **POST:** Existing files can be overwritten with attacker-controlled content (**Arbitrary File Write**).\n\n---\n\n## Attack Prerequisites\n\n* The attacker is an authenticated user\n* The attacker has **Admin or higher privileges** on the target repository\n* The attacker has the **AllowGitHook** permission (or is a site administrator)\n* The target file is readable/writable by the **Gogs process OS permissions**\n\n---\n\n## Attack Scenario\n\n1. An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL\n2. A path containing `../` is supplied in `:name`, fully URL-encoded using `%2f`\n3. The server resolves `custom_hooks/../../...` without validation\n4. Arbitrary file contents are displayed and existing files can be overwritten\n\n---\n\n## Potential Impact\n\n* **Sensitive information disclosure:** `app.ini`, databases, logs, environment variables, etc.\n* **Configuration or data tampering:** Overwriting existing files\n* **Secondary impact:** Extraction of `SECRET_KEY` and database credentials may allow token forging or further compromise",
"id": "GHSA-mrph-w4hh-gx3g",
"modified": "2026-02-06T19:06:58Z",
"published": "2026-02-06T18:14:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23633"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/4894629903f9508fe85567c44f68804f008f1655"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gogs has arbitrary file read/write via Path Traversal in Git hook editing"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…