Gogs Path Traversal: How ../../../ Gave Hackers the Keys to the Castle
Jan 15, 2026·6 min read·1 visit
Executive Summary (TL;DR)
Gogs versions prior to 0.13.1 failed to sanitize file paths in the API and web editor. Authenticated attackers with write access to a repository can use directory traversal characters (`../`) to break out of the repo directory. By overwriting `~/.ssh/authorized_keys`, attackers can grant themselves SSH access to the server, resulting in full RCE.
A critical path traversal vulnerability in Gogs allows authenticated users to escape the repository sandbox and overwrite arbitrary files on the host system. This flaw typically leads to immediate Remote Code Execution (RCE) by overwriting the git user's SSH authorized_keys file.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Gogs Gogs | < 0.13.1 | 0.13.1 |
| Attribute | Detail |
|---|---|
| CWE | CWE-22 (Path Traversal) |
| CVSS v3.1 | 8.8 (Critical) |
| Attack Vector | Network (Authenticated) |
| Impact | Remote Code Execution (RCE) via File Write |
| Fixed Version | 0.13.1 |
| EPSS Score | 1.60% (High Percentile) |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.