The vulnerability is a Server‑Side Request Forgery in Gogs’s repository migration. The tool only checks the hostname of the URL that a user submits, but the underlying git command follows HTTP redirects. An attacker who is authenticated to the Gogs instance can give a URL that redirects to a blocked internal address, such as 127.0.0.1. The migration then pulls the mirror of the internal repository into an attacker‑controlled repository, enabling theft of private code. The flaw therefore enables an authenticated user to exfiltrate internal repository contents, compromising confidentiality and potentially authorization if the migrated repository is used for further attacks.

The affected product is Gogs, an open‑source self‑hosted Git service. Versions before 0.14.3 are vulnerable. The specific version numbers are not listed in the CVE data, but the fix is available in release v0.14.3.

The CVSS score of 8.7 classifies this as high severity. EPSS is not available, indicating no publicly available exploitation probability metric. The vulnerability is not listed in the CISA KEV catalog. Attack requires authenticated access to Gogs; an attacker who can log in can submit a malicious migration URL. The SSRF makes it possible to reach internal endpoints that would otherwise be blocked, so the exploitation path depends on network segmentation and internal service exposure. Because internal repositories often contain sensitive source code, the impact can be significant if the attacker controls a repository that can be cloned or published further.