Gogs has arbitrary file read/write via Path Traversal in Git hook editing

基本資訊

  • GHSA ID: GHSA-mrph-w4hh-gx3g
  • CVE ID: CVE-2026-23633
  • 嚴重性: MEDIUM
  • 發布時間: 2026-02-06T18:14:51Z
  • 來源: GitHub Advisory

漏洞描述

Vulnerability Description

In the endpoint:

/username/reponame/settings/hooks/git/:name

the :name parameter:

  • Is URL-decoded by macaron routing, allowing decoded slashes (/)
  • Is then passed directly to:
git.Repository.Hook("custom_hooks", name)

which internally resolves the path as:

filepath.Join(repoPath, "custom_hooks", name)

Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.

As a Result:

  • GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).
  • POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).

Attack Prerequisites

  • The attacker is an authenticated user
  • The attacker has Admin or higher privileges on the target repository
  • The attacker has the AllowGitHook permission (or is a site administrator)
  • The target file is readable/writable by the Gogs process OS permissions

Attack Scenario

  1. An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL
  2. A path containing ../ is supplied in :name, fully URL-encoded using %2f
  3. The server resolves custom_hooks/../../... without validation
  4. Arbitrary file contents are displayed and existing files can be overwritten

Potential Impact

  • Sensitive information disclosure: app.ini, databases, logs, environment variables, etc.
  • Configuration or data tampering: Overwriting existing files
  • Secondary impact: Extraction of SECRET_KEY and database credentials may allow token forging or further compromise

影響範圍

  • go:gogs.io/gogs (<= 0.13.3) → 0.13.4

CVSS 評分

  • CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

CWE 分類

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

EPSS 評分

  • EPSS: N/A

萃取備註

  • 資料來源: GitHub Security Advisories Database
  • 信心水準: 高(官方漏洞資料庫)
  • 處理時間: 2026-02-08T07:48:02.766740