CVE-2024-56731

| EUVD-2024-54695 CRITICAL
2025-06-24 [email protected] GHSA-wj44-9vcg-wjq7
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2024-54695
Patch Released
Mar 15, 2026 - 22:36 nvd
Patch available
CVE Published
Jun 24, 2025 - 04:15 nvd
CRITICAL 10.0

Tags

RCE Gogs Suse

Description

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

Analysis

CVE-2024-56731 is a critical remote code execution vulnerability in Gogs (self-hosted Git service) versions prior to 0.13.3, where unprivileged users can delete files in the .git directory and achieve arbitrary command execution due to an incomplete patch of CVE-2024-39931. An unauthenticated remote attacker can execute arbitrary commands with the privileges of the RUN_USER account, compromising all code repositories and user data on affected instances. This represents an actively exploitable vulnerability with a perfect CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privilege requirements, and complete system compromise.

Technical Context

Gogs is an open-source Git version control service written in Go that allows self-hosted git repository management. The vulnerability exploits insufficient validation in file deletion operations within git repository management, specifically allowing manipulation of the .git directory structure. This vulnerability relates to CWE-552 (Files or Directories Accessible to External Parties), indicating improper access control on critical git metadata. The root cause stems from an incomplete security patch for CVE-2024-39931, suggesting the original mitigation did not adequately restrict all attack vectors for .git directory manipulation. The vulnerability allows attackers to delete critical git internal files (hooks, objects, refs), which can be leveraged to inject malicious git hooks that execute arbitrary commands when git operations occur. Affected CPE: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* (versions < 0.13.3).

Affected Products

Gogs (0.13.2 and earlier)

Remediation

patch: Upgrade Gogs to version 0.13.3 or later immediately; priority: CRITICAL; details: Download and deploy Gogs 0.13.3+ from official repository (https://github.com/gogs/gogs) workaround: Restrict network access to Gogs service; priority: IMMEDIATE; details: Implement network segmentation, firewall rules, or VPN requirements to limit access to trusted networks only while patch is being deployed workaround: Disable repository operations if possible; priority: HIGH; details: Temporarily restrict git push/pull operations or place Gogs instance in read-only mode until patched detection: Monitor for suspicious .git directory modifications; priority: HIGH; details: Implement file integrity monitoring on .git directories and audit logs for deletion operations on git internal files hardening: Review RUN_USER privileges; priority: MEDIUM; details: Ensure RUN_USER account operates with minimal necessary privileges; use containerization/sandboxing to limit impact of code execution

Priority Score

51
Low Medium High Critical
KEV: 0
EPSS: +1.0
CVSS: +50
POC: 0

Vendor Status

Share

CVE-2024-56731 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy