Lack of response to critical vulnerability in Gogs is a reminder of the limits of open source projects
A newly discovered and so far unpatched critical vulnerability in the open source Gogs Git service not only demands immediate action from developers to secure their code, it also puts a spotlight on the potential issues in using self-hosted code platforms from small maintainers. The hole is a critical argument injection vulnerability, discovered by a researcher at Rapid7, that allows any authenticated user to remotely execute code on a Gogs server by creating a pull request with a malicious branch name during a merge operation. Rapid7 published an analysis of the vulnerability today, after the maintainer of Gogs did not respond to a request for status updates or to an offer to defer disclosure after it first reported the hole over two months ago. “This is a serious vulnerability in software that isn’t commonly exposed to the public internet,” Ryan Emmons, staff security researcher at Rapid7, said in an email. “Gogs is typically used in an internal capacity; the most likely threat mode