Critical Gogs Vulnerability Allows Silent Overwriting of Large File Storage Objects
A severe security vulnerability has been identified in Gogs, a widely used open-source, self-hosted Git service. This flaw, designated as CVE-2026-25921, enables attackers to covertly overwrite Large File Storage (LFS) objects, posing significant risks to software supply chains. With a maximum CVSS 3.1 score of 10.0, this vulnerability affects Gogs versions 0.14.1 and earlier, and as of now, no official patch has been released.
Understanding the Vulnerability
The core of this vulnerability lies in two fundamental design flaws within Gogs’ LFS architecture:
1. Shared Storage Location: Gogs stores all LFS objects in a single, centralized directory without isolating them by repository. This means that every project on a Gogs instance shares the same storage space, lacking unique repository identifiers in the storage path.
2. Absence of Hash Verification: When users upload LFS files, Gogs does not verify if the file’s content matches its claimed SHA-256 cryptographic hash (also known as the Object ID or OID).
These oversights allow an attacker who knows the SHA-256 hash of a target LFS file to upload a malicious file with the same hash to their own repository. Gogs, treating this as a routine client retry, overwrites the legitimate file in the shared storage without any verification.
Potential Impact
The implications of CVE-2026-25921 are profound:
– Supply Chain Compromise: Developers and automated systems downloading LFS objects from the compromised server may unknowingly receive tampered files, leading to the distribution of malicious software.
– Undetectable Tampering: Due to the lack of data authenticity validation, the overwriting process occurs silently. Users downloading the LFS object from the Gogs interface receive no warnings or alerts about the file’s alteration.
This vulnerability is particularly alarming because it requires low attack complexity, no special privileges, and zero user interaction, making it an attractive target for malicious actors.
Discovery and Disclosure
Security researcher zjuchenyuan discovered and reported this vulnerability. Given the absence of an official patch, organizations using self-hosted Gogs instances must exercise heightened caution.
Mitigation Strategies
Until an official fix is available, administrators should implement the following temporary measures:
– Restrict Permissions: Limit account creation and LFS upload permissions to trusted internal users to prevent unauthorized file overwriting.
– Manual Integrity Checks: Deploy external monitoring scripts to periodically verify that the actual SHA-256 hashes of critical LFS files on the server match their expected values in the database.
The forthcoming developer fix is expected to enforce strict verification, ensuring that all uploaded LFS objects match their claimed SHA-256 hashes before being written to the server.
Conclusion
The discovery of CVE-2026-25921 underscores the critical importance of robust security practices in software development and deployment. Organizations utilizing Gogs must remain vigilant, implement recommended mitigations, and stay updated on official patches to safeguard their software supply chains against potential compromises.
