CVE-2024-56731

moderate-risk

Published 2025-06-24

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 5084b4a9b77a506f5e287e82e945e1c6882b827a

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Gogs

Affected Vendors

Gogs

References (3)

Patch https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9

Release Notes https://github.com/gogs/gogs/releases/tag/v0.13.3

Patch https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 6/34 · Minimal

Exposure 5/34 · Minimal