CVE-2024-56731: 
Gogs vulnerability analysis and mitigation

Gogs, an open source self-hosted Git service, was found to contain a critical vulnerability (CVE-2024-56731) prior to version 0.13.3. The vulnerability stems from an insufficient patch for CVE-2024-39931, where it remained possible to delete files under the .git directory and achieve remote command execution. The vulnerability was discovered and disclosed on June 24, 2025 (GitHub Advisory).

The vulnerability exists due to insufficient validation of symbolic links in the patch for CVE-2024-39931. While the patch added checks to prevent direct access to .git directories, it failed to properly validate symbolic links. An attacker can bypass the protection by creating a symbolic link pointing to the .git directory, allowing them to delete arbitrary files in the .git directory. The vulnerability has been assigned CWE-552 (Files or Directories Accessible to External Parties) and received a CVSS v3.1 score of 10.0 (Critical) (Wiz).

The vulnerability allows unprivileged user accounts to execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. This enables attackers to access and alter any users' code hosted on the same instance, potentially compromising the entire system (GitHub Advisory).

The vulnerability has been patched in Gogs version 0.13.3. Users are strongly advised to upgrade to this version to protect against the vulnerability. No alternative workarounds have been provided (Gogs Release).