logo

Database

Server side template injection In gogs.io/gogs

Description

Gogs has DoS in rendering issue index pattern

Summary

Special template of issue index pattern may cause panic.

Details

in internal/markup/markup.go

link = fmt.Sprintf(`<a href="%s">%s</a>`, com.Expand(metas["format"], metas), m)

Issue index pattern is rendered to link with com.Expand.

However, com.Expand is not safe.

i = strings.Index(template, "}")
if s, ok := match[template[:i]]; ok {

when { is found but } not found, i comes to 1, template[:-1] will be called, and then panicked

image

finally, all pages than contains issue index are unavailable.

PoC

    set issue index pattern as follow

image

    add a commit which point to an issue in its msg

image

using #1 above

Impact

DoS that cause part of pages of the specify repo unavailable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-527962. NVD-2026-527963. OSV-2026-527964. GHSA-4j89-2c4f-44c65. GCVE-2026-52796

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-4j89-2c4f-44c62. https://github.com/gogs/gogs/pull/83123. https://github.com/gogs/gogs/commit/0529d95fc39f2b6d2997b19a2a12e245226847224. https://github.com/gogs/gogs/releases/tag/v0.14.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.