CVE-2024-56731
10.00.42%
Gogs RCE: The Symlink That Killed the Patch (CVE-2024-56731)
Amit Schendel
Senior Security ResearcherJan 1, 2026·4 min read·15 visits
PoC Available
Executive Summary (TL;DR)
Gogs tried to stop hackers from deleting `.git` files by checking file names. Hackers bypassed this by using symbolic links (e.g., `evil_link` -> `.git/config`). By editing the symlink via the Web UI, attackers can overwrite Git hooks and achieve full RCE. CVSS 10.0.
A critical Remote Command Execution vulnerability in Gogs versions prior to 0.13.3. This flaw is a bypass of a previous fix (CVE-2024-39931), allowing authenticated users to overwrite internal Git files via symbolic links.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEPSS Probability
0.42%
Top 88% most exploited
45,000
Estimated exposed hosts via Shodan
Affected Systems
Gogs (Self-Hosted Git Service)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Gogs Gogs | < 0.13.3 | 0.13.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-59 (Link Following) |
| Attack Vector | Network (Authenticated) |
| CVSS | 10.0 (Critical) |
| Impact | Remote Command Execution (RCE) |
| Privileges | Low (Any authenticated user) |
| Fix Version | 0.13.3 |
MITRE ATT&CK Mapping
CWE-59
Link Following
Improper Link Resolution Before File Access ('Link Following')
Known Exploits & Detection
Vulnerability Timeline
Original flaw CVE-2024-39931 disclosed
2024-07-01
Bypass discovered and patched in commit 1cba9bc
2024-12-25
Gogs v0.13.3 Released
2024-12-27