CVE-2025-64111 — Vulnetix

CVE-2025-64111 PUBLISHED CVSS 9.300000190734863 CRITICAL

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

EPSS 0.23% · 45.8th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.23%

45.8th percentile

Affected Products

Vendor	Product	Versions
gogs	gogs	< 0.14.0+dev, < 0.13.4, 0
gogs.io	gogs	0, 0

Timeline

Feb 6, 2026 CVE Published
Feb 7, 2026 EPSS Score
Feb 7, 2026 Security Advisory
Feb 9, 2026 EPSS Score
Feb 10, 2026 PoC Published
Feb 11, 2026 EPSS Score
Feb 12, 2026 PoC Published
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 22, 2026 EPSS Score

References

https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp url
https://nvd.nist.gov/vuln/detail/CVE-2025-64111 advisory
https://github.com/gogs/gogs package
https://github.com/gogs/gogs/blob/d940e692ec58abd45e648c054d7dfd88909034ec/internal/route/api/v1/repo/contents.go#L197-L206 url

Open in Interactive Console →