What is the CVSS score of CVE-2025-64175?

CVE-2025-64175 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Gogs are affected by CVE-2025-64175?

CVE-2025-64175 affects Gogs self-hosted Git services running version 0.13.3 or earlier, allowing attackers to bypass two-factor authentication (2FA) by using recovery codes from any user account to…. A patch is available.

How to fix or mitigate CVE-2025-64175?

Within 24 hours: Immediately inventory all Gogs deployments and identify instances running version 0.13.3 or earlier; disable 2FA recovery code functionality if possible or restrict access to Gogs via network controls. Within 7 days: Implement compensating controls such as WAF rules to monitor and block suspicious recovery code submission patterns, enforce IP whitelisting for Gogs access, and require VPN connectivity for all Git operations. Within 30 days: Monitor vendor communications for patch availability and deploy immediately upon release; conduct security audit of all Git repository access logs for the past 90 days to detect potential unauthorized access.

Gogs CVE-2025-64175

HIGH

Improper Authentication (CWE-287)

2026-02-06 security-advisories@github.com

GHSA-p6x6-9mx6-26wj

Authentication Bypass Gogs Suse

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 18:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

AnalysisAI

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. [CVSS 8.8 HIGH]

Technical ContextAI

Classified as CWE-287 (Improper Authentication). Affects Gogs. Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2025-64175 vulnerability details – vuln.today

Back

Gogs CVE-2025-64175

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code