How to fix CVE-2025-64175?

Within 24 hours: Immediately inventory all Gogs deployments and identify instances running version 0.13.3 or earlier; disable 2FA recovery code functionality if possible or restrict access to Gogs via network controls. Within 7 days: Implement compensating controls such as WAF rules to monitor and block suspicious recovery code submission patterns, enforce IP whitelisting for Gogs access, and require VPN connectivity for all Git operations. Within 30 days: Monitor vendor communications for patch availability and deploy immediately upon release; conduct security audit of all Git repository access logs for the past 90 days to detect potential unauthorized access.

Is Gogs affected by CVE-2025-64175?

CVE-2025-64175 affects Gogs self-hosted Git services running version 0.13.3 or earlier, allowing attackers to bypass two-factor authentication (2FA) by using recovery codes from any user account to gain unauthorized access to other accounts.

CVE-2025-64175

HIGH

2026-02-06 [email protected]

GHSA-p6x6-9mx6-26wj

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 18:15 nvd

HIGH 8.8

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Analysis

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. [CVSS 8.8 HIGH]

Technical Context

Classified as CWE-287 (Improper Authentication). Affects Gogs. Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Affected Products

Vendor: Gogs. Product: Gogs.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

Vendor Status

CVE-2025-64175 vulnerability details – vuln.today

Back

CVE-2025-64175

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-64175

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code