CVE-2024-54148 Overview
CVE-2024-54148 is a path traversal vulnerability in Gogs, an open source self-hosted Git service. An authenticated malicious user can commit and edit a crafted symlink file in a repository to gain SSH access to the underlying server. The flaw is tracked under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory) and stems from the repository file editor failing to reject symlinks during edit operations. The vulnerability is fixed in Gogs 0.13.1.
Critical Impact
An authenticated repository user can leverage symlink editing to write outside the repository boundary and obtain SSH access to the host running Gogs.
Affected Products
- Gogs versions prior to 0.13.1
- Self-hosted Gogs Git service deployments
- Any environment exposing Gogs repository editing to untrusted users
Discovery Timeline
- 2024-12-23 - CVE-2024-54148 published to NVD
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-54148
Vulnerability Analysis
The vulnerability resides in the repository web editor implemented in internal/route/repo/editor.go. When a user edits a file through the Gogs web interface, the editor did not reject entries that are symbolic links during file rename and edit flows. An attacker with commit permission to any repository can craft a symlink pointing to a sensitive path on the server, then use the web editor to modify the symlink target's contents.
Because the Gogs process typically runs as the git user, an attacker can write to files such as ~/.ssh/authorized_keys. This grants SSH access to the host, converting limited repository write access into remote interactive access to the server.
Root Cause
The root cause is missing validation in the file editing handler. The code path that permitted renaming a file checked for symlinks, but the path that updated file content while keeping the name did not. The fix in pull request #7857 adds a symlink check to the edit branch so that any attempt to modify a symlink entry returns the repo.editor.file_is_a_symlink form error.
Attack Vector
Exploitation requires a network-reachable Gogs instance and an authenticated account with write access to a repository. The attacker commits a symlink whose target is a sensitive file on the server, then uses the web editor to rewrite the symlink's content. No user interaction is required beyond the attacker's own session.
// Patch in internal/route/repo/editor.go from PR #7857
return
}
} else {
+ // 🚨 SECURITY: Do not allow editing if the target file is a symlink.
if entry.IsSymlink() {
c.FormErr("TreePath")
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
Source: Gogs commit c94baec9. The patch ensures the editor rejects edits when entry.IsSymlink() returns true, closing the path traversal vector.
Detection Methods for CVE-2024-54148
Indicators of Compromise
- Repository commits adding symlink objects whose targets point outside the repository tree, particularly to paths under the Gogs service account home directory.
- Unexpected modifications to ~/.ssh/authorized_keys or other dotfiles owned by the git user on the Gogs host.
- New SSH login sessions for the Gogs service account from unfamiliar source IP addresses.
Detection Strategies
- Audit Git object history for 120000 mode entries (symlinks) and review their targets for absolute paths or .. traversal sequences.
- Inspect Gogs application logs for repeated editor POST requests against symlink tree paths.
- Monitor file integrity on sensitive host paths such as ~/.ssh/authorized_keys, ~/.bashrc, and Gogs configuration files.
Monitoring Recommendations
- Alert on changes to authorized_keys files for any service account running Git hosting software.
- Track SSH authentication events for the Gogs runtime user and correlate with web editor activity timestamps.
- Forward Gogs and host audit logs to a centralized analytics platform for retroactive hunting once the version inventory is known.
How to Mitigate CVE-2024-54148
Immediate Actions Required
- Upgrade all Gogs instances to version 0.13.1 or later without delay.
- Rotate SSH keys present in the Gogs service account's authorized_keys and review for unauthorized entries.
- Audit recent commits across hosted repositories for newly introduced symlinks and remove suspicious entries.
Patch Information
The fix is delivered in Gogs 0.13.1 via pull request #7857 and commit c94baec9. Details are published in the GHSA-r7j8-5h9c-f6fx advisory.
Workarounds
- Restrict repository write access to trusted users until the upgrade is complete.
- Run the Gogs process under a dedicated low-privilege account whose home directory contains no SSH material or sensitive dotfiles.
- Disable the web editor for untrusted users by enforcing repository policies that require signed commits via the Git protocol only.
# Verify installed Gogs version and upgrade
/path/to/gogs --version
# Expected after patch: Gogs version 0.13.1 or later
# Inspect repositories for symlink entries
git ls-tree -r HEAD | awk '$1 == "120000" {print $4, "->", $3}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
