CVE-2024-56731 CRITICAL

CVE-2024-56731: Gogs deletion of internal files allows remote command execution

Vendor Gogs
Product gogs
Weakness CWE-552 · Files accessible externally
Published June 24, 2025
Last update June 25, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

Key dates

02Disclosure timeline

June 24, 2025 CVE published
June 25, 2025 Record updated