Gogs RCE: The Symlink That Killed the Patch (CVE-2024-56731)

Amit Schendel

Senior Security Researcher

Jan 1, 2026·4 min read·14 visits

PoC Available

Executive Summary (TL;DR)

Gogs tried to stop hackers from deleting `.git` files by checking file names. Hackers bypassed this by using symbolic links (e.g., `evil_link` -> `.git/config`). By editing the symlink via the Web UI, attackers can overwrite Git hooks and achieve full RCE. CVSS 10.0.

A critical Remote Command Execution vulnerability in Gogs versions prior to 0.13.3. This flaw is a bypass of a previous fix (CVE-2024-39931), allowing authenticated users to overwrite internal Git files via symbolic links.

Attack Flow Diagram

Official Patches

GogsGogs v0.13.3 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score

10.0/ 10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.42%

Top 88% most exploited

45,000

Estimated exposed hosts via Shodan

Affected Systems

Gogs (Self-Hosted Git Service)

Affected Versions Detail

Product	Affected Versions	Fixed Version
Gogs Gogs	< 0.13.3	0.13.3

Attribute	Detail
CWE	CWE-59 (Link Following)
Attack Vector	Network (Authenticated)
CVSS	10.0 (Critical)
Impact	Remote Command Execution (RCE)
Privileges	Low (Any authenticated user)
Fix Version	0.13.3

MITRE ATT&CK Mapping

T1559Inter-Process Communication

Execution

T1202Indirect Command Execution

Defense Evasion

CWE-59

Link Following

Improper Link Resolution Before File Access ('Link Following')

Known Exploits & Detection

GitHubDiscussion regarding the symlink bypass and initial disclosure

Vulnerability Timeline

Original flaw CVE-2024-39931 disclosed

2024-07-01

Bypass discovered and patched in commit 1cba9bc

2024-12-25

Gogs v0.13.3 Released

2024-12-27