CVE-2026-25242

Gogs allows unauthenticated file uploads

CVSS 6.9 MEDIUMEPSS 0.6%CWE-862

In short

Gogs allows anyone on the internet to upload files without logging in, which can fill up the server's disk space, host unwanted content, or spread malware.

Technical detail

Unauthenticated POST requests to /releases/attachments and /releases/attachments endpoints bypass authorization checks when RequireSigninView is disabled (default configuration). Same-origin cookie handling allows CSRF tokens to be ineffective as a mitigation. Impact includes disk exhaustion, unauthorized content hosting, and malware distribution.

Summary generated and translated by AI from the official description.

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

gogs · gogs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3 https://github.com/gogs/gogs/pull/8128 https://github.com/gogs/gogs/releases/tag/v0.14.1 https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f