logo

Database

Server side cross-site scripting In gogs.io/gogs

Description

Gogs XSS allowed by stored call in PDF renderer

Summary

A stored XSS is present in Gogs which allows client-side Javascript code execution.

Details

Gogs Version:

docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
gogs/gogs    latest    fe92583bc4fe   10 hours ago   99.3MB

Application version: 0.14.0+dev

Local setup using:

# Pull image from Docker Hub.
docker pull gogs/gogs

# Create local directory for volume.
sudo mkdir -p /var/gogs

# Use `docker run` for the first time.
docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs...

The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/.
Read more about this vulnerability at codeanlabs - CVE-2024-4367.

PoC

    Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository.

    Click on the file to be previewed.

poc

Credits

Edoardo Ottavianelli

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-479432. NVD-2025-479433. OSV-2025-479434. GHSA-xh32-cx6c-cp4v5. GCVE-2025-47943

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v2. https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d403. https://github.com/gogs/gogs/releases/tag/v0.13.34. https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.