A critical security flaw has been discovered in a popular open-source, self-hosted Git service, allowing attackers to overwrite Large File Storage (LFS) objects secretly.
Tracked as CVE-2026-25921, this maximum-severity vulnerability carries a CVSS 3.1 score of 10.0. It creates a severe risk for software supply-chain attacks.
The flaw currently affects Gogs versions 0.14.1 and earlier, with no official patch available at the time of disclosure.
If exploited, malicious actors could tamper with critical binaries, datasets, or software builds across any repository on a shared server without triggering a single warning.
Gogs Overwrite Vulnerability
The root cause of this vulnerability stems from two critical design flaws in how Gogs handles its Large File Storage architecture:
Lack of Storage Isolation: Gogs stores all uploaded LFS objects in a single shared location without isolating them by repository.
Because the storage path does not include a unique repository ID, every project hosted on the Gogs instance shares the same centralized file pool.
Missing Hash Verification: When a user uploads an LFS file, Gogs completely fails to verify if the file’s actual content matches its claimed SHA-256 cryptographic hash (also known as the OID).
Because of these missing security checks, an attacker only needs to know the SHA-256 hash of a target LFS file.
The attacker can then upload a manipulated file, such as a backdoored software installer, to their own repository while claiming the victim’s file hash.
The Gogs server assumes the upload is a routine client retry and unthinkingly overwrites the original, legitimate file in the shared storage database.
The impact of CVE-2026-25921 is devastating because it requires low attack complexity, no special privileges, and zero user interaction.
Supply-Chain Compromise: When legitimate developers or automated systems download LFS objects from the affected server, they will unknowingly receive the attacker’s backdoored file.
Undetectable Tampering: Because the system implicitly trusts the attacker’s manipulated file without data authenticity validation (CWE-345), the overwrite happens completely silently.
Victims downloading the LFS object from the Gogs webpage will see no warnings, errors, or alerts that the file has been altered. The vulnerability was discovered and reported by security researcher zjuchenyuan.
Because there is no officially patched version yet, organizations relying on self-hosted Gogs instances must be highly cautious.
Administrators should consider the following temporary security measures until an official fix is released:
Restrict Permissions: Strictly limit account creation and LFS upload permissions to highly trusted internal users to prevent unauthorized actors from overwriting files.
Manual Integrity Checks: Implement external monitoring scripts to periodically verify that the actual SHA-256 hashes of critical LFS files on the host disk match their expected values in the database.
The eventual developer fix will require Gogs to strictly verify that all uploaded LFS objects mathematically match their claimed SHA-256 hash before writing them to the server disk.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
