Impact
Gogs, an open‑source self‑hosted Git service, contains an OS command injection flaw that allows an authenticated user to trigger remote code execution on the server. By creating a pull request with a specially crafted branch name, the user can inject the --exec flag into the git rebase command executed during the "Rebase before merging" merge operation, allowing arbitrary commands to run under the service process. The vulnerability is categorized as CWE‑77 and carries a high impact score of 9.9 on the CVSS scale.
Affected Systems
All Gogs installations running a version prior to 0.14.3 are affected. The flaw applies to every instance that permits authenticated users to create pull requests and use the rebase‑before‑merge merge strategy. Users operating older releases should identify the exact version of Gogs deployed and verify whether it is below the fixed release.
Risk and Exploitability
This issue is high severity and is not listed in the CISA KEV catalog. The exploitation requires only that the attacker be authenticated with sufficient privileges to create pull requests, which is typical for repository collaborators. Because the flaw directly invokes a shell command with user‑controlled input, the risk of successful exploitation is significant. The EPSS score of 1% indicates a low but nonzero exploitation probability.
OpenCVE Enrichment
Github GHSA