Gogs instances prior to version 0.14.2 allow an attacker to overwrite any LFS object in any repository without content hash verification. This vulnerability can be leveraged to replace legitimate large file objects with attacker‑controlled binaries or scripts, effectively injecting malicious code into software artifacts. The flaw is a severe code injection vector that undermines confidentiality and integrity of codebases, granting disruptors control over potentially critical assets.

The affected product is the Gogs self‑hosted Git service, specifically all versions earlier than 0.14.2. Users running any earlier build of Gogs on their own servers are vulnerable. Patches have been released in release 0.14.2 and later. There is no indication that specific operating systems or configuration modes modify the risk, so the entire Gogs customer base prior to the patch is at risk.

The CVSS score of 9.3 indicates a critical severity. EPSS indicates the likelihood of exploitation is very low (<1%), and the vulnerability is not currently catalogued in CISA’s KEV list. The attack vector is inferred to be remote, using the standard LFS upload endpoints exposed by the service. An attacker needs write access to a repository or the ability to submit LFS objects to the server, which is often the case for collaborators or public projects. If such access is available, the attacker can trigger the overwrite by uploading a malicious LFS file with a matching key used by other repositories.