Gogs allows users to create webhook deliveries that can be pointed at arbitrary URLs. Prior to version 0.14.3, the fix for a previous remote‑code execution vulnerability prevented webhooks from using URLs whose hostnames resolve to IPs in private or local CIDR ranges. However, the system still follows HTTP redirects, which means an attacker can point a webhook at a URL that redirects to an internal host, thereby enabling a Server‑Side Request Forgery. The vulnerability enables an attacker to cause Gogs to issue requests to internal resources, potentially exposing sensitive data or facilitating further attacks inside the network. This flaw is addressed by releases starting with 0.14.3. This is a CWE‑918 vulnerability.

The affected product is Gogs, an open‑source self‑hosted Git service. Versions before 0.14.3 are vulnerable. No specific sub‑version list is provided, but any build of Gogs older than 0.14.3 is impacted.

The CVSS score for this weakness is 8.3, indicating substantial risk. The EPSS score is unavailable and it is not listed in CISA KEV. Attackers need the ability to add or trigger a webhook inside the Gogs instance; this requirement is inferred from typical permissions needed for creating or triggering hooks, and is not explicitly stated in the description. Once a webhook can be manipulated, the redirect‑follow flaw can cause Gogs to send requests to internal hosts, exposing internal resources and potentially enabling further exploitation of internal services. Overall risk remains high due to the severity score and the potential impact on internal network confidentiality, integrity, and availability.