CVE-2025-64175

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj	Vendor Advisory
https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 18:15

Updated : 2026-02-17 21:38

NVD link : CVE-2025-64175

Mitre link : CVE-2025-64175

CVE.ORG link : CVE-2025-64175

JSON object : View

Products Affected

gogs

gogs

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-64175", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T18:15:55.357", "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}, {"lang": "es", "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. En la versi\u00f3n 0.13.3 y anteriores, la validaci\u00f3n de c\u00f3digos de recuperaci\u00f3n 2FA de Gogs no limita el alcance de los c\u00f3digos por usuario, lo que permite un bypass entre cuentas. Si un atacante conoce el nombre de usuario y la contrase\u00f1a de una v\u00edctima, puede usar cualquier c\u00f3digo de recuperaci\u00f3n no utilizado (por ejemplo, de su propia cuenta) para omitir el 2FA de la v\u00edctima. Esto permite una toma de control total de la cuenta y hace que el 2FA sea ineficaz en todos los entornos donde est\u00e1 habilitado. Este problema ha sido parcheado en las versiones 0.13.4 y 0.14.0+dev."}], "lastModified": "2026-02-17T21:38:20.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "674F0DE0-7669-4B02-B45E-DD60FB5D462F", "versionEndExcluding": "0.13.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}