Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64719

CVE-2025-64719: Gogs Git Service DOS Vulnerability

CVE-2025-64719 is a denial of service vulnerability in Gogs, an open source self-hosted Git service, where malicious users can crash repository pages. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64719 Overview

CVE-2025-64719 is a denial of service vulnerability in Gogs, an open source self-hosted Git service. The flaw affects versions prior to 0.14.3 and resides in the repository and wiki page rendering logic. An authenticated user with permissions to create files in a repository or wiki page can trigger an unrecoverable error condition that returns HTTP 500 responses and renders the affected pages unusable. The vulnerability is tracked under [CWE-20: Improper Input Validation] and has been addressed in Gogs 0.14.3.

Critical Impact

An authenticated user with write access can permanently break repository or wiki listing pages, denying service to all users attempting to view affected content.

Affected Products

  • Gogs versions prior to 0.14.3
  • Self-hosted Gogs Git service instances
  • Repositories and wiki pages within affected installations

Discovery Timeline

  • 2026-06-24 - CVE-2025-64719 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2025-64719

Vulnerability Analysis

The vulnerability exists in two source files within the Gogs codebase: internal/route/repo/wiki.go and internal/route/repo/view.go. Both files contain logic that recovers commit information when rendering file listings on repository and wiki pages. When the commit recovery routine encounters an error, the handler returns an HTTP 500 response and halts page rendering. A malicious authenticated user with file creation rights can craft input that causes commit information recovery to fail. This breaks the listing pages and prevents legitimate users from browsing affected repository or wiki content.

Root Cause

The root cause is improper input validation [CWE-20] in the commit information recovery path. The handlers in wiki.go and view.go do not gracefully handle errors returned during commit metadata retrieval. Instead of degrading rendering by skipping the problematic entry, the code propagates the error and aborts the entire response.

Attack Vector

Exploitation requires network access to the Gogs web interface and authenticated privileges sufficient to create a new file in a repository or wiki page. The attacker creates a file or wiki entry containing input that triggers a failure in the commit information recovery code path. Once created, any subsequent request to the file listing page returns HTTP 500 until the offending content is removed. No user interaction beyond the initial file creation is required to sustain the denial of service.

No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory GHSA-3qq3-668m-v9mj for additional technical context.

Detection Methods for CVE-2025-64719

Indicators of Compromise

  • Repeated HTTP 500 responses returned from repository file listing or wiki index endpoints
  • Recently created files or wiki pages immediately preceding the appearance of 500 errors on listing pages
  • Web server access logs showing legitimate users encountering errors on previously functional repository pages

Detection Strategies

  • Monitor Gogs application logs for errors originating in internal/route/repo/wiki.go and internal/route/repo/view.go related to commit recovery
  • Correlate spikes in HTTP 500 responses with recent file or wiki page creation events by specific user accounts
  • Review audit logs for users creating files or wiki entries shortly before service disruption reports

Monitoring Recommendations

  • Enable verbose application logging for repository and wiki request handlers to capture commit recovery failures
  • Track HTTP response code distributions per repository to identify pages consistently returning 500 errors
  • Alert on a sustained rate of HTTP 500 responses from the /wiki and repository tree endpoints

How to Mitigate CVE-2025-64719

Immediate Actions Required

  • Upgrade all Gogs instances to version 0.14.3 or later as the primary remediation
  • Audit recently created files and wiki pages on repositories reporting rendering errors
  • Restrict repository and wiki write permissions to trusted users until patching is complete
  • Remove any offending file or wiki page identified as triggering HTTP 500 responses

Patch Information

The vulnerability is fixed in Gogs 0.14.3. The patch modifies commit information recovery logic in internal/route/repo/wiki.go and internal/route/repo/view.go so that errors during commit metadata retrieval no longer abort page rendering. Administrators should apply the official release available from the Gogs project repository.

Workarounds

  • Limit file and wiki creation rights to vetted accounts until the upgrade is applied
  • Manually delete offending files or wiki pages via direct repository access to restore listing functionality
  • Place the Gogs instance behind authentication-aware monitoring to detect abusive write patterns

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.