CVE-2025-64175
Published: 06 February 2026
Summary
CVE-2025-64175 is a high-severity Improper Authentication (CWE-287) vulnerability in Gogs Gogs. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-64175 is a vulnerability in Gogs, an open source self-hosted Git service, affecting versions 0.13.3 and prior. The issue lies in the 2FA recovery code validation mechanism, which fails to scope codes to specific users, allowing cross-account bypass. This flaw, classified under CWE-287 (Improper Authentication), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H).
An attacker with knowledge of a victim's username and password can exploit this by using any unused recovery code—for example, one generated from their own account—to bypass the victim's 2FA entirely. Successful exploitation results in full account takeover, undermining 2FA protections across all enabled environments.
The vulnerability has been addressed in Gogs versions 0.13.4 and 0.14.0+dev. Additional details on the patch and mitigation are available in the GitHub security advisory at https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206882
Vulnerability details
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any…
more
unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an authentication bypass in a public-facing Git web service (Gogs), directly enabling remote exploitation for account takeover via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure management of authenticators including user-scoped 2FA recovery codes, directly preventing cross-account bypass exploits.
SI-2 mandates timely identification, reporting, and correction of flaws like unscoped 2FA recovery code validation through patching to fixed versions such as 0.13.4.
AU-12 generates audit records for identification and authentication events, enabling detection of anomalous 2FA bypasses via cross-account recovery codes.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-287
RHEL 7 (3 rules)
- V-204424 The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. via CWE-287
- V-204425 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password. via CWE-287
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-287
RHEL 8 (1 rule)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-287
Ubuntu 22.04 (1 rule)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-287
Ubuntu 24.04 (2 rules)
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-287
- V-270714 Ubuntu 24.04 LTS must not allow accounts configured in Pluggable Authentication Modules (PAM) with blank or null passwords. via CWE-287