Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs, the open‑source Git hosting platform, contains a flaw in its built‑in SSH server that allows an attacker to cause a denial of service. The server creates a new goroutine for each inbound TCP connection and does not set any read/write timeouts, so an unauthenticated client that opens a connection and simply stalls the SSH handshake can force the process to spawn an unlimited number of blocking goroutines. This drains file descriptor resources, preventing legitimate users from accessing the Git service and even destabilizing the entire Gogs process by triggering log‑rotation failures. The weakness is a classic resource exhaustion vulnerability (CWE‑400).

Affected Systems

Any Gogs deployment running a version earlier than 0.14.3 is affected. The flaw exists in the gogs:gogs product, which is pure Go code bundled with the SSH server. Upgrading to version 0.14.3 or newer removes the vulnerable code path and enforces proper connection handling. No other versions or patches are known to mitigate the issue before 0.14.3.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity; the EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting it may not be actively exploited in the wild yet. An attacker can execute the attack by simply connecting to the configured SSH port and withholding the protocol banner, requiring no credentials or elevated privileges. Because the technique relies on unrestricted inbound traffic, any network reachable to the Gogs SSH port is a potential attack surface. If exploited, the service becomes unavailable to all users and could lead to broader system instability. Prompt patching is advisable to eliminate the risk.

Generated by OpenCVE AI on June 24, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later
  • Restart the Gogs service after the upgrade to ensure the new binary is in use
  • Configure network firewalls or SSH connection limits to cap the number of concurrent inbound connections and monitor for abnormal connection patterns

Generated by OpenCVE AI on June 24, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp79-5mx3-jx52 Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3.
Title Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:25:10.334Z

Reserved: 2026-06-08T18:11:06.660Z

Link: CVE-2026-52814

cve-icon Vulnrichment

Updated: 2026-06-25T13:25:02.520Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:15:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption