A newly discovered and so far unpatched critical vulnerability in the open source Gogs Git service not only demands immediate action from developers to secure their code, it also puts a spotlight on the potential issues in using self-hosted code platforms from small maintainers.
The hole is a critical argument injection vulnerability, discovered by a researcher at Rapid7, that allows any authenticated user to remotely execute code on a Gogs server by creating a pull request with a malicious branch name during a merge operation.
Rapid7 published an analysis of the vulnerability today, after the maintainer of Gogs did not respond to a request for status updates or to an offer to defer disclosu...