【高危】Gogs has the ability to import local repositories via Mirror Settings

安全速报 · 严重级:高危 · CVSS:8.1 · CVE-2026-52801 · GHSA-wv27-2vqp-j7g5

漏洞概要

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality.

Here is the function implementation of the Mirror Settings without any validation.

PoC

The New Migration feature correctly blocked my attempt to import a local repository.

But if I create a normal migration with a valid repository.

Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository.

Here is the result after the sync.

Impact

Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.

受影响组件

修复建议

升级 gogs.io/gogs 至 0.14.3 或更高版本。

参考链接

• GitHub Advisory GHSA-wv27-2vqp-j7g5
• https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5
• https://github.com/gogs/gogs/pull/8225
• https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c
• https://github.com/gogs/gogs/releases/tag/v0.14.3

本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。