Verified — Gogs path traversal in organization name results in RCE through Git hooks
Severity CRITICAL
Confidence HIGH
Reproduced in 29m 54s
Tool calls 276
Spend $7.49
Affected All versions before 0.14.3
Fixed in 0.14.3
$
pruva-verify REPRO-2026-00192 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00192/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
Gogs (self-hosted Git service) accepts organization names containing path traversal sequences (../) via the API. Repository paths under such organizations are written to arbitrary filesystem locations. By creating a nested Git repository structure inside another repository's local worktree, an attacker can overwrite Git hooks (e.g., hooks/update) and achieve remote code execution as the git user.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
bundle/repro/runtime_manifest.json1.3 KBbundle/repro/proof_summary.txt0.5 KBbundle/repro/rce_marker_vuln_1.txt0.2 KBbundle/repro/rce_marker_vuln_2.txt0.2 KBbundle/repro/validation_verdict.json1.5 KBbundle/ticket.json1.1 KBbundle/ticket.md0.7 KBbundle/logs/upload_vuln_1/first_page.log15.5 KBbundle/logs/upload_vuln_1/second_commit.log0.0 KBbundle/logs/upload_vuln_1/second_page.log15.5 KBbundle/logs/upload_vuln_1/first_commit.log0.0 KBbundle/logs/http_fixed_1.log.lpost0.0 KBbundle/logs/http_fixed_2.log.lp7.2 KBbundle/logs/git_fixed_2.log1.1 KBbundle/logs/upload_fixed_1/first_page.log15.4 KBbundle/logs/upload_fixed_1/first_commit.log0.0 KBbundle/logs/upload_fixed_2/first_page.log15.5 KBbundle/logs/upload_fixed_2/first_commit.log0.0 KBbundle/logs/state_fixed_1.log5.7 KBbundle/logs/gogs_fixed_2.log4.2 KBbundle/logs/http_fixed_1.log.lp7.2 KBbundle/logs/gogs_fixed_1.log4.1 KBbundle/logs/http_vuln_1.log.lp7.2 KBbundle/logs/http_fixed_2.log.lpost0.0 KBbundle/logs/gogs_vuln_2.log4.8 KBbundle/logs/git_vuln_2.log1.3 KBbundle/logs/http_vuln_2.log1.7 KBbundle/logs/create_user_fixed_1.log0.1 KBbundle/logs/upload_vuln_2/first_page.log15.4 KBbundle/logs/upload_vuln_2/second_commit.log0.0 KBbundle/logs/upload_vuln_2/second_page.log15.4 KBbundle/logs/upload_vuln_2/first_commit.log0.0 KBbundle/logs/gogs_vuln_1.log4.8 KBbundle/logs/git_fixed_1.log1.1 KBbundle/logs/http_fixed_1.log1.0 KBbundle/logs/create_user_vuln_2.log0.1 KBbundle/logs/build_vuln.log0.0 KBbundle/logs/http_vuln_1.log.lpost0.0 KBbundle/logs/build_fixed.log0.0 KBbundle/logs/state_vuln_1.log9.1 KBbundle/logs/git_vuln_1.log1.3 KBbundle/logs/state_vuln_2.log9.1 KBbundle/logs/http_fixed_2.log1.0 KBbundle/logs/reproduction_steps.log2.2 KBbundle/logs/create_user_vuln_1.log0.1 KBbundle/logs/state_fixed_2.log5.7 KBbundle/logs/http_vuln_1.log1.7 KBbundle/logs/create_user_fixed_2.log0.1 KBbundle/logs/http_vuln_2.log.lpost0.0 KBbundle/logs/http_vuln_2.log.lp7.2 KBbundle/repro/reproduction_steps.sh19.3 KBbundle/repro/rca_report.md11.3 KBbundle/coding/proposed_fix.diff2.4 KBbundle/coding/summary_report.md7.6 KBbundle/coding/verify_fix.sh6.2 KBbundle/logs/vuln_variant/fixed_version.txt0.3 KBbundle/logs/vuln_variant/vuln_version.txt0.4 KBbundle/logs/vuln_variant_steps.log1.9 KBbundle/logs/vv_build_fixed.log0.0 KBbundle/logs/vv_build_vuln.log0.0 KBbundle/logs/vv_create_user_fixed.log0.1 KBbundle/logs/vv_create_user_vuln.log0.1 KBbundle/logs/vv_git_fixed.log1.1 KBbundle/logs/vv_git_vuln.log1.3 KBbundle/logs/vv_gogs_fixed.log4.1 KBbundle/logs/vv_gogs_vuln.log4.8 KBbundle/logs/vv_http_fixed.log1.0 KBbundle/logs/vv_http_fixed.log.lp7.2 KBbundle/logs/vv_http_fixed.log.lpost0.0 KBbundle/logs/vv_http_vuln.log1.7 KBbundle/logs/vv_http_vuln.log.lp7.2 KBbundle/logs/vv_http_vuln.log.lpost0.0 KBbundle/logs/vv_state_fixed.log5.8 KBbundle/logs/vv_state_vuln.log9.3 KBbundle/logs/vv_upload_fixed/first_commit.log0.0 KBbundle/logs/vv_upload_fixed/first_page.log15.3 KBbundle/logs/vv_upload_vuln/first_commit.log0.0 KBbundle/logs/vv_upload_vuln/first_page.log15.3 KBbundle/logs/vv_upload_vuln/second_commit.log0.0 KBbundle/logs/vv_upload_vuln/second_page.log15.3 KBbundle/vuln_variant/findings_notes.txt2.4 KBbundle/vuln_variant/patch_analysis.md8.9 KBbundle/vuln_variant/rca_report.md18.5 KBbundle/vuln_variant/rce_marker_vuln.txt0.2 KBbundle/vuln_variant/reproduction_steps.sh19.5 KBbundle/vuln_variant/root_cause_equivalence.json2.8 KBbundle/vuln_variant/runtime_manifest.json1.1 KBbundle/vuln_variant/source_identity.json1.8 KBbundle/vuln_variant/validation_verdict.json4.7 KBbundle/vuln_variant/variant_manifest.json6.6 KBbundle/vuln_variant/variant_proof_summary.txt0.6 KB