module
Gogs Git Rebase Argument Injection RCE
| Disclosed | Created |
|---|---|
| Mar 17, 2026 | Jun 3, 2026 |
Disclosed
Mar 17, 2026
Created
Jun 3, 2026
Description
This module exploits an argument injection vulnerability in the
pull request merge flow of Gogs (
The Merge() function in internal/database/pull.go passes the PR
base branch name to `git rebase` without a `--` separator. A
branch named `--exec=` is parsed by Git as the --exec flag
rather than a positional argument, causing `sh -c ` to run
after each replayed commit during the rebase.
Two exploitation methods are supported:
- own_repo: The attacker creates a temporary repository, enables
rebase merge, and operates entirely within their own account.
Any authenticated user who can create repositories (the default)
can exploit this with no interaction from other users required.
- existing_repo: The attacker exploits a repository they already
have write and merge access to, where "Rebase before merging"
is enabled (or the attacker has repo admin permissions to
enable it). This path is useful on instances where repository
creation is restricted.
Both methods use git to push divergent branches (including the
malicious --exec= branch), open a pull request, and trigger a
rebase merge to execute the payload. A local git installation
is required.
On Unix targets, the payload is base64-encoded inline in
the malicious branch name, avoiding the need to commit files
to the repository. On Windows targets, the payload is
delivered via a script file committed to the repository,
since NTFS forbids pipe characters in filenames. Git for
Windows uses MSYS2 sh for --exec commands, enabling
cross-platform exploitation.
Note: a successful rebase merge may leave the server-side
repository in a corrupted git state (mid-rebase). For
own_repo this is inconsequential because the repository is
deleted. For existing_repo this can break the target
repository and prevent re-exploitation against the same repo.
The Gogs API does not support token deletion, so the API
access token created during exploitation cannot be removed
automatically and will persist under the attacker account.
pull request merge flow of Gogs (
The Merge() function in internal/database/pull.go passes the PR
base branch name to `git rebase` without a `--` separator. A
branch named `--exec=` is parsed by Git as the --exec flag
rather than a positional argument, causing `sh -c ` to run
after each replayed commit during the rebase.
Two exploitation methods are supported:
- own_repo: The attacker creates a temporary repository, enables
rebase merge, and operates entirely within their own account.
Any authenticated user who can create repositories (the default)
can exploit this with no interaction from other users required.
- existing_repo: The attacker exploits a repository they already
have write and merge access to, where "Rebase before merging"
is enabled (or the attacker has repo admin permissions to
enable it). This path is useful on instances where repository
creation is restricted.
Both methods use git to push divergent branches (including the
malicious --exec= branch), open a pull request, and trigger a
rebase merge to execute the payload. A local git installation
is required.
On Unix targets, the payload is base64-encoded inline in
the malicious branch name, avoiding the need to commit files
to the repository. On Windows targets, the payload is
delivered via a script file committed to the repository,
since NTFS forbids pipe characters in filenames. Git for
Windows uses MSYS2 sh for --exec commands, enabling
cross-platform exploitation.
Note: a successful rebase merge may leave the server-side
repository in a corrupted git state (mid-rebase). For
own_repo this is inconsequential because the repository is
deleted. For existing_repo this can break the target
repository and prevent re-exploitation against the same repo.
The Gogs API does not support token deletion, so the API
access token created during exploitation cannot be removed
automatically and will persist under the attacker account.
Author
Crypto-Cat
Platform
Linux,Unix,Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.