Gogs versions 0.13.4 and below contain a critical unauthenticated file upload vulnerability that can be exploited for malware hosting or denial-of-service attacks.

This vulnerability stems from unauthenticated access to the /releases/attachments and /issues/attachments endpoints when the RequireSigninView setting is disabled. This allows any remote user to upload arbitrary files without valid credentials or CSRF protection.

The impact includes potential disk exhaustion (DoS), the use of the corporate infrastructure to host or deliver malware, and reputational damage. The CVSS score of 9.8 indicates a critical risk due to the lack of authentication and the potential for severe system abuse.

Immediate Action: Upgrade Gogs to version 0.14.1 or higher. Alternatively, enable the RequireSigninView setting in the configuration to mandate authentication.

Proactive Monitoring: Monitor disk usage trends and review attachment directories for unknown or suspicious file types.

Compensating Controls: Implement rate limiting on upload endpoints and use an antivirus solution to scan all uploaded attachments.

Public Exploit Available: No

The default "open" state of these endpoints represents a significant liability. Administrators should prioritize the update to version 0.14.1 and verify that RequireSigninView is enabled to ensure only authorized users can upload data.