Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (2/2)

Gogs, an open-source solution for self-hosting source code, has four critical vulnerabilities discovered and reported by the author. The vulnerabilities allow attackers to compromise vulnerable instances, enabling them to steal source code, plant code backdoors, wipe all code, and more. These vulnerabilities were not patched by the Gogs maintainers after being reported, leaving users vulnerable. To protect themselves, users can disable the built-in SSH server, disable user registration, apply patches provided by the author, or switch to a more actively maintained alternative like Gitea. The vulnerabilities highlight issues with Git's design for use on untrusted inputs and the importance of securing its use in such scenarios.