CVE-2024-39930 Overview
CVE-2024-39930 is an argument injection vulnerability in the built-in Secure Shell (SSH) server of Gogs through version 0.13.0. The flaw resides in internal/ssh/ssh.go and allows authenticated attackers to achieve remote code execution on the host running Gogs. Exploitation requires opening an SSH connection to the built-in server and sending a crafted --split-string env request. Windows installations are not affected because the underlying env binary behavior differs. The vulnerability is classified under CWE-88: Argument Injection.
Critical Impact
Authenticated attackers can execute arbitrary commands on the Gogs server, leading to full source code repository compromise and potential lateral movement.
Affected Products
- Gogs versions up to and including 0.13.0 on Linux
- Gogs deployments on macOS and BSD-based systems
- Gogs instances with the built-in SSH server enabled
Discovery Timeline
- 2024-07-04 - CVE-2024-39930 published to the National Vulnerability Database (NVD)
- 2025-04-11 - Last updated in NVD database
Technical Details for CVE-2024-39930
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-controlled input passed to the env command within the Gogs built-in SSH server. When a client connects over SSH and issues a command, Gogs invokes env to set up the execution environment for Git operations. Because input is not sanitized for argument-prefixed values, an attacker can supply the --split-string (also known as -S) option, which GNU env accepts to split a single argument into multiple tokens. This effectively allows an attacker to inject a new command path and arguments that env will execute instead of the intended Git handler.
An Exploit-DB entry exists for this issue, and the EPSS probability places it in the top tier of likely-exploited vulnerabilities. Successful exploitation runs commands with the privileges of the Gogs service account, exposing repositories, configuration files, and secrets stored on disk.
Root Cause
The root cause is missing validation of SSH command arguments before they are passed to env. The internal/ssh/ssh.go handler trusts client-supplied tokens and forwards them to the system env binary without filtering option-like strings beginning with --. GNU env on Linux supports --split-string, which alters the program-to-execute semantics and enables argument injection [CWE-88].
Attack Vector
An attacker first authenticates to the Gogs SSH server using a valid account, which can be obtained through open registration on many self-hosted instances. After establishing the SSH session, the attacker issues a request whose command string begins with --split-string= followed by an arbitrary binary path and arguments. Gogs passes this string to env, which interprets the flag and executes the attacker-specified command. Windows installations rely on a different env implementation and are not affected.
No synthetic exploitation code is reproduced here. Technical write-ups are available in the SonarSource analysis of Gogs vulnerabilities and the Vicarius analysis of CVE-2024-39930.
Detection Methods for CVE-2024-39930
Indicators of Compromise
- SSH session logs on the Gogs host containing command strings that begin with --split-string or -S tokens
- Unexpected child processes of the Gogs process executing shells, interpreters, or network utilities such as bash, python, curl, or nc
- New or modified SSH keys, webhooks, or deploy keys created shortly after suspicious SSH activity
- Outbound network connections from the Gogs service account to untrusted destinations
Detection Strategies
- Inspect Gogs SSH access logs for command payloads containing --split-string, --block-signal, or other GNU env long options
- Correlate Git SSH authentication events with subsequent process executions that are not git-upload-pack or git-receive-pack
- Monitor for env invocations on the Gogs host whose first positional argument begins with --
Monitoring Recommendations
- Forward Gogs application logs, sshd logs, and host process telemetry to a centralized analytics platform for correlation
- Establish a baseline of expected child processes spawned by the Gogs service and alert on deviations
- Track repository configuration changes and administrative actions performed immediately after SSH sessions originating from unfamiliar source addresses
How to Mitigate CVE-2024-39930
Immediate Actions Required
- Upgrade Gogs to a fixed release as published in the Gogs release notes on GitHub
- Disable the built-in SSH server in app.ini if an upgrade cannot be applied immediately and route Git-over-SSH through the host sshd
- Disable open user registration to limit the pool of authenticated attackers
- Rotate SSH host keys, deploy keys, and any secrets stored within repositories if compromise is suspected
Patch Information
Gogs maintainers track fixes through the project release channel. Review the Gogs GitHub releases page for the latest version and changelog entries referencing the SSH argument injection fix. Apply the upgrade to all production and staging Gogs instances, and verify the running version after deployment.
Workarounds
- Set [server] START_SSH_SERVER = false in app.ini and rely on the system sshd with the git shell
- Restrict network access to the Gogs SSH listener using firewall rules or a reverse proxy that enforces source IP allowlists
- Enforce manual admin approval for new accounts to prevent anonymous attackers from gaining authenticated access
# Configuration example: disable the built-in SSH server in Gogs app.ini
[server]
START_SSH_SERVER = false
SSH_PORT = 22
DISABLE_SSH = false
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true
REGISTER_EMAIL_CONFIRM = true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
