CVE Catalog

CVE-2026-52814

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack via its built-in SSH server. An attacker could open multiple TCP connections to the SSH port, leading to file descriptor exhaustion and destabilization of the entire Gogs process.

Risk Assessment

This vulnerability could lead to complete resource exhaustion on the server, preventing legitimate users from accessing the Git SSH service and potentially causing other operational issues.

Recommendation

It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability and secure the service against potential attacks.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS