Vulnerability-Lookup

CVE-2025-64175 (GCVE-0-2025-64175)

Vulnerability from cvelistv5 – Published: 2026-02-06 17:41 – Updated: 2026-02-07 04:55

Title

Gogs Vulnerable to 2FA Bypass via Recovery Code

Summary

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

https://github.com/gogs/gogs/security/advisories/…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	gogs	gogs	Affected: < 0.14.0+dev Affected: < 0.13.4

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64175",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-07T04:55:21.911Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.0+dev"
            },
            {
              "status": "affected",
              "version": "\u003c 0.13.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T17:41:07.321Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
        }
      ],
      "source": {
        "advisory": "GHSA-p6x6-9mx6-26wj",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs Vulnerable to 2FA Bypass via Recovery Code"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64175",
    "datePublished": "2026-02-06T17:41:07.321Z",
    "dateReserved": "2025-10-28T21:07:16.439Z",
    "dateUpdated": "2026-02-07T04:55:21.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64175\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T18:15:55.357\",\"lastModified\":\"2026-02-06T21:57:22.450\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64175\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-06T18:58:04.265891Z\"}}}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-06T18:57:54.864Z\"}}], \"cna\": {\"title\": \"Gogs Vulnerable to 2FA Bypass via Recovery Code\", \"source\": {\"advisory\": \"GHSA-p6x6-9mx6-26wj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.0+dev\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.13.4\"}]}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj\", \"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T17:41:07.321Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64175\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-07T04:55:21.911Z\", \"dateReserved\": \"2025-10-28T21:07:16.439Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T17:41:07.321Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-P6X6-9MX6-26WJ

Vulnerability from github – Published: 2026-02-06 17:54 – Updated: 2026-02-06 19:06

Summary

Gogs Vulnerable to 2FA Bypass via Recovery Code

Details

Contact OpenAI Security Research at outbounddisclosures@openai.com to engage on this report.
See PDF report for easier reading.

Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled. Affected Versions Software: Gogs Confirmed Version(s): All versions with 2FA support Likely Affected: All versions since introduction of UseRecoveryCode logic Introduced Commit: a617d52374e937db0edacfba2a26bdd14a05538e Commit: a617d52374e937db0edacfba2a26bdd14a05538e Author: Joe Chen Date: Apr 5, 2017 Description: 2fa: initial support

Vulnerability Details The function UseRecoveryCode in internal/database/two_factor.go fails to check that the recovery code belongs to the authenticating user. Instead, it looks for any unused recovery code: Vulnerable Code Snippet

func UseRecoveryCode(_ int64, code string) error {
    recoveryCode := new(TwoFactorRecoveryCode)
    has, err := x.Where("code = ?", code).And("is_used = ?", false).Get(recoveryCode)
    ...
}

Although the caller passes userID, it is ignored. The result is a global lookup for any unused code, allowing an attacker to submit their own recovery code during another user's login flow.

Call Chain

web login handler → UseRecoveryCode(userID, code) → DB query without userID constraint Proof-of-Concept (PoC) Description This bug is tested against the latest version of Gogs hosted on Dockerhub. Attacker uses their own recovery code to bypass another user’s 2FA. Steps Create attacker account A and enable 2FA. Save a code like "abcde-fghij". Obtain credentials for victim B. Attempt login as B via web. When prompted for recovery code, submit A's code. Login as B succeeds; A's code is marked as used.

Impact 2FA rendered ineffective for all users Realistic Exploitation Scenarios Public Gogs instances with 2FA enabled Developer or maintainer accounts Enterprise self-hosted Gogs servers Potential Impact This vulnerability critically undermines 2FA. Since recovery codes are not globally unique and lack user scoping, any attacker with victim credentials can use one of their own recovery codes to complete login as the victim — bypassing all 2FA protections. This opens the door to account hijacking, data exfiltration, and downstream supply chain compromise. Timeline August 2025: Discovered via GPT5 August 2025: Reproduced and confirmed via PoC and sanitizer Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new

This information is being shared by OpenAI solely for the purpose of improving security and reducing potential harm. This information is presented as-is. OpenAI Security Research makes no representations or warranties, express or implied, as to the completeness, accuracy, or fitness for any particular purpose of the information. [This includes, without limitation any suggestions or ideas presented on how to remedy or mitigate an identified vulnerability, including whether such suggestions or ideas would be effective and/or could have other negative impacts.] OpenAI disclaims any liability for direct or indirect damages arising from the reliance on, or use, misuse, or interpretation of this information. Any references to third-party systems, services, or entities are included solely for identification purposes and do not imply endorsement, responsibility, or attribution.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.13.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.19"
            },
            {
              "fixed": "0.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T17:54:52Z",
    "nvd_published_at": "2026-02-06T18:15:55Z",
    "severity": "HIGH"
  },
  "details": "Contact OpenAI Security Research at outbounddisclosures@openai.com to engage on this report.  \nSee PDF report for easier reading.\n\nSecurity Advisory: 2FA Bypass via Recovery Code\nVulnerability Type: 2FA Authentication Bypass\nAffected Software: GOGS\nSeverity: High\nDate: Aug 5, 2025\nDiscoverer: OpenAI Security Research\nSummary\nGogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use\n[Security Advisory_ 2FA Bypass via Recovery Code - Google Docs.pdf](https://github.com/user-attachments/files/21643266/Security.Advisory_.2FA.Bypass.via.Recovery.Code.-.Google.Docs.pdf)\n any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.\nAffected Versions\nSoftware: [Gogs](https://github.com/gogs/gogs/tree/main)\nConfirmed Version(s): All versions with 2FA support\nLikely Affected: All versions since introduction of UseRecoveryCode logic\nIntroduced Commit: [a617d52374e937db0edacfba2a26bdd14a05538e](https://github.com/gogs/gogs/commit/a617d52374e937db0edacfba2a26bdd14a05538e) \nCommit: a617d52374e937db0edacfba2a26bdd14a05538e\nAuthor: Joe Chen\nDate: Apr 5, 2017\nDescription: 2fa: initial support \n\nVulnerability Details\nThe function UseRecoveryCode in internal/database/two_factor.go fails to check that the recovery code belongs to the authenticating user. Instead, it looks for any unused recovery code:\nVulnerable Code Snippet\n```go\nfunc UseRecoveryCode(_ int64, code string) error {\n    recoveryCode := new(TwoFactorRecoveryCode)\n    has, err := x.Where(\"code = ?\", code).And(\"is_used = ?\", false).Get(recoveryCode)\n    ...\n}\n```\nAlthough the caller passes userID, it is ignored. The result is a global lookup for any unused code, allowing an attacker to submit their own recovery code during another user\u0027s login flow.\n\nCall Chain\n\nweb login handler\n  \u2192 UseRecoveryCode(userID, code)\n    \u2192 DB query without userID constraint\nProof-of-Concept (PoC)\nDescription\nThis bug is tested against the latest version of Gogs hosted on [Dockerhub](https://hub.docker.com/r/gogs/gogs). Attacker uses their own recovery code to bypass another user\u2019s 2FA.\nSteps\nCreate attacker account A and enable 2FA. Save a code like \"abcde-fghij\".\nObtain credentials for victim B.\nAttempt login as B via web.\nWhen prompted for recovery code, submit A\u0027s code.\nLogin as B succeeds; A\u0027s code is marked as used.\n\n\nImpact\n2FA rendered ineffective for all users\nRealistic Exploitation Scenarios\nPublic Gogs instances with 2FA enabled\nDeveloper or maintainer accounts\nEnterprise self-hosted Gogs servers\nPotential Impact\nThis vulnerability critically undermines 2FA. Since recovery codes are not globally unique and lack user scoping, any attacker with victim credentials can use one of their own recovery codes to complete login as the victim \u2014 bypassing all 2FA protections. This opens the door to account hijacking, data exfiltration, and downstream supply chain compromise.\nTimeline\nAugust 2025: Discovered via GPT5\nAugust 2025: Reproduced and confirmed via PoC and sanitizer\nAug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new\n\n\nThis information is being shared by OpenAI solely for the purpose of improving security and reducing potential harm. This information is presented as-is.  OpenAI Security Research makes no representations or warranties, express or implied, as to the completeness, accuracy, or fitness for any particular purpose of the information. [This includes, without limitation any suggestions or ideas presented on how to remedy or mitigate an identified vulnerability, including whether such suggestions or ideas would be effective and/or could have other negative impacts.]\nOpenAI disclaims any liability for direct or indirect damages arising from the reliance on, or use, misuse, or interpretation of this information. Any references to third-party systems, services, or entities are included solely for identification purposes and do not imply endorsement, responsibility, or attribution.",
  "id": "GHSA-p6x6-9mx6-26wj",
  "modified": "2026-02-06T19:06:46Z",
  "published": "2026-02-06T17:54:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/a617d52374e937db0edacfba2a26bdd14a05538e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/d568e048315dc9729c8518d8085cab7dbbfac80f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs Vulnerable to  2FA Bypass via Recovery Code"
}

FKIE_CVE-2025-64175

Vulnerability from fkie_nvd - Published: 2026-02-06 18:15 - Updated: 2026-02-06 21:57

Severity ?

7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj

Impacted products

	Vendor	Product	Version

JSON

To clipboard Create KEV Entry

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it\u0027s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev."
    }
  ],
  "id": "CVE-2025-64175",
  "lastModified": "2026-02-06T21:57:22.450",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T18:15:55.357",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64175 (GCVE-0-2025-64175)

GHSA-P6X6-9MX6-26WJ

FKIE_CVE-2025-64175

Tags

Sightings

Nomenclature