CVE-2026-25921 — AI Deep Analysis Summary

🚨 **Essence**: Gogs < 0.14.2 suffers from **Data Forgery** (CWE-345). LFS objects from different repos can be overwritten. 💥 **Consequences**: Leads to **Supply Chain Attacks**.…

🛡️ **Root Cause**: **CWE-345** (Potential Code Injection/Data Forgery). The flaw lies in how LFS objects are handled across repositories, allowing cross-repo overwrites.…

👥 **Affected**: **Gogs (Go Git Service)**. 📦 **Versions**: All versions **prior to 0.14.2**. 🏢 **Vendor**: Gogs Team. Self-hosted Git service users are at risk.

🕵️ **Attacker Actions**: Overwrite LFS objects between repositories. 📜 **Impact**: **High Integrity (I:H)** impact. Can inject malicious binaries or scripts into trusted projects.…

⚡ **Threshold**: **Low**. CVSS: **AV:N/AC:L/PR:N/UI:N**. No authentication required. No user interaction needed. Network accessible. 🚪 **Entry**: Easy remote exploitation.

🧪 **Public Exp?**: **No PoCs listed** in data. However, GHSA advisory exists. 🌐 **Wild Exp**: Not confirmed public, but severity suggests high risk. Check GHSA-cj4v-437j-jq4c for details.

🔍 **Self-Check**: Scan for Gogs instances. 📋 **Version Check**: Verify if running < 0.14.2. 📂 **LFS Check**: Inspect Large File Storage configurations for cross-repo isolation failures. Use CVSS vector analysis.

✅ **Fixed?**: **Yes**. 🛠️ **Patch**: Upgrade to **Gogs v0.14.2**. 🔗 **Ref**: See GitHub release notes and commit 81ee883. Official mitigation is available.

🚧 **No Patch?**: Isolate LFS storage. 🚫 **Restrict Access**: Limit network exposure if possible. 👀 **Monitor**: Watch for anomalous file changes in LFS directories. ⚠️ **Risk**: High exposure until patched.

🔥 **Urgency**: **HIGH**. 📅 **Published**: 2026-03-05. 📉 **CVSS**: 7.5 (High). 🚀 **Action**: Patch immediately. Supply chain risks are critical. Do not delay.