Gogs RCE zero-day hits CISA KEV, 2,400 servers exposed
Key insights
- Gogs ships with open registration on by default, making a technically authenticated RCE exploitable without prior credentials against any exposed instance.
- Rapid7 followed coordinated disclosure norms for over two months before going public, but Gogs' maintainer never responded, leaving 2,400+ servers unpatched.
- CISA's KEV listing imposes federal remediation deadlines but assumes a patch exists; this case leaves compliant organizations with no actionable fix to apply.
Why this matters
CISA's KEV catalog assumes a vendor patch exists or is forthcoming, and this case has no fix, putting federal agencies and every organization with a compliance mandate in an impossible position. The 2,400+ Shadowserver-visible instances represent only publicly accessible deployments; private Gogs servers used for proprietary AI model code, training data pipelines, and internal tooling go uncounted and are equally vulnerable. The argument-injection technique here is transferable to any git-based tooling that processes user-controlled branch names, meaning the attack surface extends well beyond Gogs itself.
Summary
Gogs, a self-hosted Git server widely used by developer teams, has a critical unpatched RCE flaw after its maintainer stopped responding to Rapid7's coordinated disclosure.
The attack injects arguments through malicious branch names during rebase merges. Because open registration ships as a default, CISA treats it as effectively unauthenticated and has added it to its Known Exploited Vulnerabilities catalog.
Essentially: (Gogs, Rapid7, CISA) are at a standstill with no patch, no CVE, and no fix timeline.
- Shadowserver tracks 2,400+ exposed instances with no patch available.
- Disabling open registration or taking the instance offline are the only mitigations.
- US federal agencies face KEV compliance deadlines with nothing to apply.
For teams running Gogs, the vendor has gone silent and the exposure is indefinite.
Potential risks and opportunities
Risks
- Developer teams using Gogs for internal source code hosting risk full repository compromise and code exfiltration if attackers register accounts before administrators disable open registration.
- US federal agencies and contractors subject to KEV compliance deadlines face a violation scenario with no vendor fix available and only workflow-disrupting manual mitigations as alternatives.
- Gitea and Forgejo communities may face reputational spillover as non-technical stakeholders conflate the codebases, diverting security scrutiny toward projects that have active maintainers and separate security processes.
Opportunities
- Gitea and Forgejo, the actively maintained forks of the Gogs codebase, stand to absorb migrations from exposed instances as teams seek a supported alternative with an active security response process.
- Managed SCM providers including GitLab, GitHub Enterprise, and Bitbucket Data Center can target the identified 2,400+ Gogs deployments with direct outreach on migration paths and SLA-backed security response.
- Rapid7 and Shadowserver gain credibility as the disclosure and tracking parties respectively, strengthening their positioning with enterprise security teams evaluating threat intelligence and vulnerability management vendors.
What we don't know yet
- Whether any of the 2,400+ exposed instances have been actively exploited in the wild, given CISA's KEV listing implies known exploitation but no specific confirmed incident has been made public.
- Whether Gogs' maintainer has permanently abandoned the project or is temporarily unreachable, and whether a community-led patch effort or formal fork is currently underway.
- Which specific Gogs versions are affected and whether the argument-injection technique carries over to downstream codebases that share early Gogs history, including older Gitea releases.
Originally reported by thecybersecguru.com
Read the original article →Original headline: Critical Gogs Zero-Day RCE Unpatched After 2+ Months — CISA Adds to KEV, 2,400+ Servers Exposed With No Fix Available