Gogs is an open source self‑hosted Git service. Before version 0.14.3, password‑reset tokens are created using the account‑activation lifetime configuration (conf.Auth.ActivateCodeLives) instead of the intended reset‑password lifetime setting (conf.Auth.ResetPasswordCodeLives). The token’s lifetime is baked into the token itself at generation time and is re‑extracted from the token at verification time, so the RESET_PASSWORD_CODE_LIVES setting has no effect on actual enforcement. If an administrator configures a shorter reset window (for example 10 minutes) for compliance or security, the reset tokens remain usable for the full activation period, while the reset email incorrectly claims the shorter expiry. This flaw, which represents a time‑of‑check to time‑of‑use weakness (CWE‑324) and improper handling of authentication tokens (CWE‑613), allows an attacker who obtains a reset token to gain unauthorized access long after the password‑reset window the administrator intended.

The vulnerability affects installations of Gogs prior to version 0.14.3. Administrators using earlier releases should review their activation and reset token settings and upgrade to 0.14.3 or later to ensure compliance with the configured reset window.

The vulnerability carries a CVSS score of 6.8 and is not listed in the CISA KEV catalog. Since the exploit path requires possession of a valid reset token—commonly obtained via phishing or interception of the reset email—the likelihood of exploitation is moderate. No publicly available exploits have been reported, and the EPSS score is not available. Overall, the risk is significant enough to warrant upgrading promptly.