The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64111

CVE-2025-64111: Gogs Git Service RCE Vulnerability

CVE-2025-64111 is a remote code execution flaw in Gogs self-hosted Git service that allows attackers to modify .git directory files and execute commands. This article covers technical details, affected versions, and mitigation.

Published: February 13, 2026

CVE-2025-64111 Overview

CVE-2025-64111 is a critical command injection vulnerability affecting Gogs, a popular open source self-hosted Git service. This vulnerability exists due to an insufficient patch for CVE-2024-56731, allowing attackers to update files in the .git directory and achieve remote command execution. The incomplete fix in prior versions left a bypass path that threat actors can exploit to gain unauthorized access to affected systems.

Critical Impact

This vulnerability enables unauthenticated remote command execution on Gogs instances by manipulating files in the .git directory, potentially allowing complete system compromise.

Affected Products

  • Gogs version 0.13.3 and prior versions
  • All Gogs installations with exposed Git service interfaces
  • Self-hosted Git services running unpatched Gogs versions

Discovery Timeline

  • 2026-02-06 - CVE-2025-64111 published to NVD
  • 2026-02-06 - Last updated in NVD database

Technical Details for CVE-2025-64111

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw stems from an incomplete security patch that was intended to address CVE-2024-56731. Despite the previous remediation efforts, attackers can still manipulate files within the .git directory structure to inject and execute arbitrary commands on the underlying operating system.

The attack can be executed over the network without requiring user interaction or authentication, making it particularly dangerous for publicly accessible Gogs instances. Successful exploitation grants attackers the ability to execute arbitrary commands with the privileges of the Gogs service account, potentially leading to full system compromise, data exfiltration, or lateral movement within the network.

Root Cause

The root cause of this vulnerability lies in the insufficient input validation and sanitization when handling file operations within the .git directory. The original fix for CVE-2024-56731 did not adequately address all possible attack vectors, leaving a bypass mechanism that allows malicious actors to write to sensitive Git configuration files. These files can then be leveraged to execute arbitrary commands when certain Git operations are triggered.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely target exposed Gogs instances by crafting specially designed requests that manipulate files in the .git directory. Once malicious content is injected into Git hooks or configuration files, subsequent Git operations trigger the execution of attacker-controlled commands.

The vulnerability exploitation typically follows this pattern:

  1. Attacker identifies a vulnerable Gogs instance accessible over the network
  2. Attacker crafts a malicious request to write or modify files within the .git directory
  3. The injected content targets Git hooks (such as post-receive or pre-commit) or Git configuration files
  4. When Git operations are triggered, the malicious payload executes with the privileges of the Gogs service

For detailed technical information about the exploitation mechanism, see the GitHub Security Advisory.

Detection Methods for CVE-2025-64111

Indicators of Compromise

  • Unexpected modifications to files within .git directories, particularly Git hooks
  • Unusual process spawning from the Gogs service account
  • Unauthorized network connections originating from Gogs server processes
  • Suspicious entries in Git configuration files containing shell commands

Detection Strategies

  • Monitor file system changes to .git/hooks and .git/config files for unauthorized modifications
  • Implement application-level logging to track all file write operations to sensitive directories
  • Deploy network intrusion detection rules to identify exploitation attempts targeting Gogs instances
  • Review Gogs access logs for anomalous requests attempting to access or modify .git directory contents

Monitoring Recommendations

  • Enable verbose logging for the Gogs application and regularly review logs for suspicious activity
  • Implement file integrity monitoring (FIM) on all Git repository directories, particularly .git subdirectories
  • Set up alerts for any command execution originating from Gogs processes that deviates from normal behavior patterns
  • Monitor outbound network connections from Gogs servers to detect potential data exfiltration or C2 communication

How to Mitigate CVE-2025-64111

Immediate Actions Required

  • Upgrade Gogs to version 0.13.4 or 0.14.0+dev immediately to apply the security patch
  • Restrict network access to Gogs instances using firewall rules until patching is complete
  • Audit existing Git repositories for unauthorized modifications to .git directory contents
  • Review server logs for evidence of prior exploitation attempts

Patch Information

The vulnerability has been addressed in Gogs versions 0.13.4 and 0.14.0+dev. Organizations should prioritize upgrading to these patched versions as soon as possible. The patch properly addresses the incomplete fix from CVE-2024-56731 by implementing comprehensive input validation and restricting file operations within the .git directory. For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Implement strict network segmentation to limit access to Gogs instances from trusted networks only
  • Deploy a Web Application Firewall (WAF) with rules to block requests attempting to access or modify .git directories
  • Consider temporarily disabling public access to Gogs instances until patches can be applied
  • Implement filesystem-level protections to prevent unauthorized writes to .git directories
bash
# Example: Restrict network access to Gogs using iptables
# Allow access only from trusted internal network
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

# Set restrictive permissions on .git directories (requires root)
find /path/to/gogs-repositories -name ".git" -type d -exec chmod 700 {} \;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechGogs
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.12%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-78
  • Technical References
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-26194: Gogs Git Service RCE Vulnerability
  • CVE-2025-8110: Gogs RCE Vulnerability via Symlink Handling
  • CVE-2024-56731: Gogs Remote Code Execution Vulnerability
  • CVE-2022-0415: Gogs Repository File Upload RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English