Description
This module exploits an argument injection vulnerability in the pull request merge flow of Gogs (<= 0.14.2 and <= 0.15.0+dev).
The Merge() function in internal/database/pull.go passes the PR base branch name to `git rebase` without a `--` separator. A branch named `--exec=<CMD>` is parsed by Git as the --exec flag rather than a positional argument, causing `sh -c <CMD>` to run after each replayed commit during the rebase.
Two exploitation methods are supported:
- own_repo: The attacker creates a temporary repository, enables rebase merge, and operates entirely within their own account. Any authenticated user who can create repositories (the default) can exploit this with no interaction from other users required.
- existing_repo: The attacker exploits a repository they already have write and merge access to, where "Rebase before merging" is enabled (or the attacker has repo admin permissions to enable it). This path is useful on instances where repository creation is restricted.
Both methods use git to push divergent branches (including the malicious --exec= branch), open a pull request, and trigger a rebase merge to execute the payload. A local git installation is required.
On Unix targets, the payload is base64-encoded inline in the malicious branch name, avoiding the need to commit files to the repository. On Windows targets, the payload is delivered via a script file committed to the repository, since NTFS forbids pipe characters in filenames. Git for Windows uses MSYS2 sh for --exec commands, enabling cross-platform exploitation.
Note: a successful rebase merge may leave the server-side repository in a corrupted git state (mid-rebase). For own_repo this is inconsequential because the repository is deleted. For existing_repo this can break the target repository and prevent re-exploitation against the same repo.
The Gogs API does not support token deletion, so the API access token created during exploitation cannot be removed automatically and will persist under the attacker account.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/gogs_rebase_rcemsf undefined(gogs_rebase_rce) > show actions ...actions...msf undefined(gogs_rebase_rce) > set ACTION < action-name >msf undefined(gogs_rebase_rce) > show options ...show and set options...msf undefined(gogs_rebase_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub