Unrated

Persistent DoS in Gogs repository and wiki pages via malformed Git pathspec filenames

IdentifiersCVE-2025-64719CWE-400

CVE-2025-64719 is a denial-of-service vulnerability in Gogs affecting version 0.14.2 and earlier. A malicious user with permission to create a new file in a repository or add a wiki entry can create files whose names are interpreted by Git as malformed pathspecs. When Gogs later renders repository index or wiki index pages and attempts to recover commit information for those entries, the malformed pathspec handling causes server-side failures that result in HTTP 500 errors. The condition persists as long as the crafted file remains present, making the affected repository or wiki pages unavailable through the web interface.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes persistent denial of service against affected Gogs repository and wiki listing pages in the web interface. Repository index pages and wiki index pages return HTTP 500 errors, rendering those views unusable until the malicious file is removed or the instance is fixed. Based on the provided content, the impact is limited to availability of the affected web pages; CLI access is not affected, and there is no indication of code execution, privilege escalation, or data disclosure.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict or temporarily disable untrusted users' ability to create repository files or wiki entries, and remove any existing maliciously named files or wiki content that trigger the condition. Monitoring for repeated HTTP 500 errors on repository or wiki index pages may help identify exploitation. Specific vendor-supported mitigations beyond upgrading were not provided in the available content.

Remediation

Patch, then assume compromise.

Upgrade Gogs to version 0.14.3 or later, which contains the fix released on 2026-06-07.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

lessonsecNews

Jun 20, 2026

CVE-2025-64719: Git Pathspec Confusion Denial of Service in Gogs | less on sec

A denial-of-service vulnerability in Gogs where malformed Git pathspec-like filenames created by an authorized user can trigger persistent HTTP 500 errors on repository and wiki index pages.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-64719

NVD

nvd.nist.gov/vuln/detail/CVE-2025-64719

MITRE CWE · CWE-400

cwe.mitre.org