Rapid7 said the Gogs flaw is still unpatched after a March 17 report, letting any authenticated user execute code on default-configured servers through a malicious pull request branch name.
The exploit abuses the "Rebase before merging" option by injecting Git's --exec flag into git rebase, turning a branch name into a shell command without admin rights or user interaction.
On instances with open registration, an attacker can simply create an account and repository, enable rebase merging, and run the full chain; where creation is restricted, write access to a repo with rebase enabled is enough.
Successful compromise can expose every repository on the server, dump credentials, pivot to other reachable systems, and read other users' private repos in shared environments.
Rapid7 said the bug affects Windows, Linux and macOS deployments, released a Metasploit module for Linux and Windows targets, and urged admins to disable registration, block repo creation and audit rebase settings.
Could attackers be rewriting your software's history by exploiting this unpatched Gogs vulnerability to inject backdoors?
If open-source maintainers go silent, who is responsible for securing the global software supply chain?