Gogs versions prior to 0.14.3 are vulnerable to a critical Remote Code Execution flaw that allows authenticated users to compromise the underlying server.

The vulnerability exists in the "Rebase before merging" function, where an authenticated attacker can inject the --exec flag into a git rebase command using a specially crafted branch name. This allows the execution of arbitrary commands on the host operating system with the privileges of the Gogs service.

Successful exploitation of this vulnerability results in full system compromise, allowing an attacker to gain unauthorized access to the server, modify source code repositories, or pivot into the internal network. Given the CVSS score of 9.9, this represents an extreme risk to the integrity and availability of the development environment.

Immediate Action: Upgrade to Gogs version 0.14.3 or later immediately to resolve the command injection flaw.

Proactive Monitoring: Review application logs for unusual pull request activity or unexpected process spawning originating from the Gogs service account.

Compensating Controls: Restrict access to the Gogs interface to trusted network segments and implement strict input validation at the Web Application Firewall (WAF) level if immediate patching is not possible.

Public Exploit Available: No

The severity of this Remote Code Execution vulnerability cannot be overstated. Administrators should prioritize patching Gogs instances to version 0.14.3 as an urgent task to prevent potential server takeover and unauthorized code repository modification.