Gogs Vulnerable to 2FA Bypass via Recovery Code_CVE-2025-64175

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Basic Information

ID CVE-2025-64175

Source GitHub_M

Published Feb 6, 2026 at 17:41

Modified Feb 6, 2026 at 18:58

Affected Product

Vendor gogs

Product gogs

Version < 0.14.0+dev

Affected Versions gogs gogs < 0.14.0+dev
gogs gogs < 0.13.4

CWE Classification

CWE-287

References

github.com /gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj

{
    "lastseen": "",
    "description": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs\u2019 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim\u2019s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim\u2019s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.",
    "published": "2026-02-06T17:41:07.321Z",
    "modified": "2026-02-06T18:58:09.746Z",
    "type": "cve",
    "title": "Gogs Vulnerable to 2FA Bypass via Recovery Code",
    "source": "GitHub_M",
    "references": "https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj",
    "id": "CVE-2025-64175",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "gogs gogs < 0.14.0+dev\ngogs gogs < 0.13.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gogs",
    "version": "< 0.14.0+dev",
    "vendor": "gogs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}