Impact
Gogs, the open‑source Git hosting platform, contains a flaw in its built‑in SSH server that allows an attacker to cause a denial of service. The server creates a new goroutine for each inbound TCP connection and does not set any read/write timeouts, so an unauthenticated client that opens a connection and simply stalls the SSH handshake can force the process to spawn an unlimited number of blocking goroutines. This drains file descriptor resources, preventing legitimate users from accessing the Git service and even destabilizing the entire Gogs process by triggering log‑rotation failures. The weakness is a classic resource exhaustion vulnerability (CWE‑400).
Affected Systems
Any Gogs deployment running a version earlier than 0.14.3 is affected. The flaw exists in the gogs:gogs product, which is pure Go code bundled with the SSH server. Upgrading to version 0.14.3 or newer removes the vulnerable code path and enforces proper connection handling. No other versions or patches are known to mitigate the issue before 0.14.3.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity; the EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting it may not be actively exploited in the wild yet. An attacker can execute the attack by simply connecting to the configured SSH port and withholding the protocol banner, requiring no credentials or elevated privileges. Because the technique relies on unrestricted inbound traffic, any network reachable to the Gogs SSH port is a potential attack surface. If exploited, the service becomes unavailable to all users and could lead to broader system instability. Prompt patching is advisable to eliminate the risk.
OpenCVE Enrichment
Github GHSA