GHSA-P6X6-9MX6-26WJ
Vulnerability from github – Published: 2026-02-06 17:54 – Updated: 2026-02-06 19:06Contact OpenAI Security Research at outbounddisclosures@openai.com to engage on this report.
See PDF report for easier reading.
Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled. Affected Versions Software: Gogs Confirmed Version(s): All versions with 2FA support Likely Affected: All versions since introduction of UseRecoveryCode logic Introduced Commit: a617d52374e937db0edacfba2a26bdd14a05538e Commit: a617d52374e937db0edacfba2a26bdd14a05538e Author: Joe Chen Date: Apr 5, 2017 Description: 2fa: initial support
Vulnerability Details The function UseRecoveryCode in internal/database/two_factor.go fails to check that the recovery code belongs to the authenticating user. Instead, it looks for any unused recovery code: Vulnerable Code Snippet
func UseRecoveryCode(_ int64, code string) error {
recoveryCode := new(TwoFactorRecoveryCode)
has, err := x.Where("code = ?", code).And("is_used = ?", false).Get(recoveryCode)
...
}
Although the caller passes userID, it is ignored. The result is a global lookup for any unused code, allowing an attacker to submit their own recovery code during another user's login flow.
Call Chain
web login handler → UseRecoveryCode(userID, code) → DB query without userID constraint Proof-of-Concept (PoC) Description This bug is tested against the latest version of Gogs hosted on Dockerhub. Attacker uses their own recovery code to bypass another user’s 2FA. Steps Create attacker account A and enable 2FA. Save a code like "abcde-fghij". Obtain credentials for victim B. Attempt login as B via web. When prompted for recovery code, submit A's code. Login as B succeeds; A's code is marked as used.
Impact 2FA rendered ineffective for all users Realistic Exploitation Scenarios Public Gogs instances with 2FA enabled Developer or maintainer accounts Enterprise self-hosted Gogs servers Potential Impact This vulnerability critically undermines 2FA. Since recovery codes are not globally unique and lack user scoping, any attacker with victim credentials can use one of their own recovery codes to complete login as the victim — bypassing all 2FA protections. This opens the door to account hijacking, data exfiltration, and downstream supply chain compromise. Timeline August 2025: Discovered via GPT5 August 2025: Reproduced and confirmed via PoC and sanitizer Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new
This information is being shared by OpenAI solely for the purpose of improving security and reducing potential harm. This information is presented as-is. OpenAI Security Research makes no representations or warranties, express or implied, as to the completeness, accuracy, or fitness for any particular purpose of the information. [This includes, without limitation any suggestions or ideas presented on how to remedy or mitigate an identified vulnerability, including whether such suggestions or ideas would be effective and/or could have other negative impacts.] OpenAI disclaims any liability for direct or indirect damages arising from the reliance on, or use, misuse, or interpretation of this information. Any references to third-party systems, services, or entities are included solely for identification purposes and do not imply endorsement, responsibility, or attribution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.13.3"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.19"
},
{
"fixed": "0.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64175"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T17:54:52Z",
"nvd_published_at": "2026-02-06T18:15:55Z",
"severity": "HIGH"
},
"details": "Contact OpenAI Security Research at outbounddisclosures@openai.com to engage on this report. \nSee PDF report for easier reading.\n\nSecurity Advisory: 2FA Bypass via Recovery Code\nVulnerability Type: 2FA Authentication Bypass\nAffected Software: GOGS\nSeverity: High\nDate: Aug 5, 2025\nDiscoverer: OpenAI Security Research\nSummary\nGogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use\n[Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf](https://github.com/user-attachments/files/21643266/Security.Advisory_.2FA.Bypass.via.Recovery.Code.-.Google.Docs.pdf)\n any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.\nAffected Versions\nSoftware: [Gogs](https://github.com/gogs/gogs/tree/main)\nConfirmed Version(s): All versions with 2FA support\nLikely Affected: All versions since introduction of UseRecoveryCode logic\nIntroduced Commit: [a617d52374e937db0edacfba2a26bdd14a05538e](https://github.com/gogs/gogs/commit/a617d52374e937db0edacfba2a26bdd14a05538e) \nCommit: a617d52374e937db0edacfba2a26bdd14a05538e\nAuthor: Joe Chen\nDate: Apr 5, 2017\nDescription: 2fa: initial support \n\nVulnerability Details\nThe function UseRecoveryCode in internal/database/two_factor.go fails to check that the recovery code belongs to the authenticating user. Instead, it looks for any unused recovery code:\nVulnerable Code Snippet\n```go\nfunc UseRecoveryCode(_ int64, code string) error {\n recoveryCode := new(TwoFactorRecoveryCode)\n has, err := x.Where(\"code = ?\", code).And(\"is_used = ?\", false).Get(recoveryCode)\n ...\n}\n```\nAlthough the caller passes userID, it is ignored. The result is a global lookup for any unused code, allowing an attacker to submit their own recovery code during another user\u0027s login flow.\n\nCall Chain\n\nweb login handler\n \u2192 UseRecoveryCode(userID, code)\n \u2192 DB query without userID constraint\nProof-of-Concept (PoC)\nDescription\nThis bug is tested against the latest version of Gogs hosted on [Dockerhub](https://hub.docker.com/r/gogs/gogs). Attacker uses their own recovery code to bypass another user\u2019s 2FA.\nSteps\nCreate attacker account A and enable 2FA. Save a code like \"abcde-fghij\".\nObtain credentials for victim B.\nAttempt login as B via web.\nWhen prompted for recovery code, submit A\u0027s code.\nLogin as B succeeds; A\u0027s code is marked as used.\n\n\nImpact\n2FA rendered ineffective for all users\nRealistic Exploitation Scenarios\nPublic Gogs instances with 2FA enabled\nDeveloper or maintainer accounts\nEnterprise self-hosted Gogs servers\nPotential Impact\nThis vulnerability critically undermines 2FA. Since recovery codes are not globally unique and lack user scoping, any attacker with victim credentials can use one of their own recovery codes to complete login as the victim \u2014 bypassing all 2FA protections. This opens the door to account hijacking, data exfiltration, and downstream supply chain compromise.\nTimeline\nAugust 2025: Discovered via GPT5\nAugust 2025: Reproduced and confirmed via PoC and sanitizer\nAug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new\n\n\nThis information is being shared by OpenAI solely for the purpose of improving security and reducing potential harm. This information is presented as-is. OpenAI Security Research makes no representations or warranties, express or implied, as to the completeness, accuracy, or fitness for any particular purpose of the information. [This includes, without limitation any suggestions or ideas presented on how to remedy or mitigate an identified vulnerability, including whether such suggestions or ideas would be effective and/or could have other negative impacts.]\nOpenAI disclaims any liability for direct or indirect damages arising from the reliance on, or use, misuse, or interpretation of this information. Any references to third-party systems, services, or entities are included solely for identification purposes and do not imply endorsement, responsibility, or attribution.",
"id": "GHSA-p6x6-9mx6-26wj",
"modified": "2026-02-06T19:06:46Z",
"published": "2026-02-06T17:54:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64175"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/a617d52374e937db0edacfba2a26bdd14a05538e"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/d568e048315dc9729c8518d8085cab7dbbfac80f"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gogs Vulnerable to 2FA Bypass via Recovery Code"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.