CVE-2026-52814
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack via its built-in SSH server. An attacker could open multiple TCP connections to the SSH port, leading to file descriptor exhaustion and destabilization of the entire Gogs process.
Risk Assessment
This vulnerability could lead to complete resource exhaustion on the server, preventing legitimate users from accessing the Git SSH service and potentially causing other operational issues.
Recommendation
It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability and secure the service against potential attacks.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3.

