Critical Gogs Vulnerability Allows Silent Overwriting of Large File Storage Objects
A severe security vulnerability has been identified in Gogs, a widely-used open-source, self-hosted Git service. This flaw enables attackers to covertly overwrite Large File Storage (LFS) objects, posing significant risks to software supply chains.
Vulnerability Details
Designated as CVE-2026-25921, this vulnerability has been assigned the highest severity rating with a CVSS 3.1 score of 10.0. It affects Gogs versions 0.14.1 and earlier, with no official patch available at the time of disclosure. Exploitation of this flaw allows malicious actors to tamper with critical binaries, datasets, or software builds across any repository on a shared server without triggering any warnings.
Root Causes
The vulnerability arises from two primary design flaws in Gogs’ LFS architecture:
1. Lack of Storage Isolation: Gogs stores all uploaded LFS objects in a single shared location without isolating them by repository. Since the storage path does not include a unique repository ID, every project hosted on the Gogs instance shares the same centralized file pool.
2. Missing Hash Verification: When a user uploads an LFS file, Gogs fails to verify if the file’s actual content matches its claimed SHA-256 cryptographic hash (also known as the OID).
Due to these security oversights, an attacker only needs to know the SHA-256 hash of a target LFS file. They can then upload a manipulated file, such as a backdoored software installer, to their own repository while claiming the victim’s file hash. The Gogs server, assuming the upload is a routine client retry, overwrites the original, legitimate file in the shared storage database without any verification.
Potential Impact
The consequences of CVE-2026-25921 are severe due to its low attack complexity, lack of required privileges, and absence of user interaction.
– Supply-Chain Compromise: Legitimate developers or automated systems downloading LFS objects from the affected server will unknowingly receive the attacker’s backdoored file.
– Undetectable Tampering: Since the system implicitly trusts the attacker’s manipulated file without data authenticity validation (CWE-345), the overwrite occurs silently. Victims downloading the LFS object from the Gogs webpage will see no warnings, errors, or alerts indicating that the file has been altered.
Discovery and Reporting
This vulnerability was discovered and reported by security researcher zjuchenyuan. As there is no officially patched version available yet, organizations relying on self-hosted Gogs instances must exercise extreme caution.
Recommended Mitigation Measures
Administrators should consider the following temporary security measures until an official fix is released:
– Restrict Permissions: Limit account creation and LFS upload permissions to highly trusted internal users to prevent unauthorized actors from overwriting files.
– Manual Integrity Checks: Implement external monitoring scripts to periodically verify that the actual SHA-256 hashes of critical LFS files on the host disk match their expected values in the database.
The eventual developer fix will require Gogs to strictly verify that all uploaded LFS objects mathematically match their claimed SHA-256 hash before writing them to the server disk.
