Cyber Posture

CVE-2025-64175

High

Published: 06 February 2026

Published
06 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64175 is a high-severity Improper Authentication (CWE-287) vulnerability in Gogs Gogs. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires secure management of authenticators including user-scoped 2FA recovery codes, directly preventing cross-account bypass exploits.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and correction of flaws like unscoped 2FA recovery code validation through patching to fixed versions such as 0.13.4.

AU-12 Audit Record Generation partial match
detect

AU-12 generates audit records for identification and authentication events, enabling detection of anomalous 2FA bypasses via cross-account recovery codes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability is an authentication bypass in a public-facing Git web service (Gogs), directly enabling remote exploitation for account takeover via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any…

more

unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Deeper analysisAI

CVE-2025-64175 is a vulnerability in Gogs, an open source self-hosted Git service, affecting versions 0.13.3 and prior. The issue lies in the 2FA recovery code validation mechanism, which fails to scope codes to specific users, allowing cross-account bypass. This flaw, classified under CWE-287 (Improper Authentication), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H).

An attacker with knowledge of a victim's username and password can exploit this by using any unused recovery code—for example, one generated from their own account—to bypass the victim's 2FA entirely. Successful exploitation results in full account takeover, undermining 2FA protections across all enabled environments.

The vulnerability has been addressed in Gogs versions 0.13.4 and 0.14.0+dev. Additional details on the patch and mitigation are available in the GitHub security advisory at https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj.

Details

CWE(s)
CWE-287

Affected Products

gogs
gogs
≤ 0.13.4

CVEs Like This One

CVE-2025-64111Same product: Gogs Gogs
CVE-2025-8110Same product: Gogs Gogs
CVE-2026-26194Same product: Gogs Gogs
CVE-2026-25921Same product: Gogs Gogs
CVE-2026-25232Same product: Gogs Gogs
CVE-2026-26276Same product: Gogs Gogs
CVE-2026-25242Same product: Gogs Gogs
CVE-2026-24135Same product: Gogs Gogs
CVE-2026-26022Same product: Gogs Gogs
CVE-2025-65128Shared CWE-287

References