CVE-2020-14144

HIGH NUCLEI

Gitea 1.1.0-1.12.5 - Authenticated Remote Code Execution via Git Hook Script Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-14144. PoCs published by p0dalirius, Mohnad-AL-saif, Podalirius, Christophe De La Fuente, including Metasploit module exploits/multi/http/gitea_git_hooks_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-14144 in GiTea by leveraging git hooks to achieve authenticated remote code execution. It automates repository creation, git hook manipulation, and payload delivery via git push.

Description

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

Exploits (3)

nomisec WORKING POC 30 stars
by p0dalirius · poc
https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce

This PoC exploits CVE-2020-14144 in GiTea by leveraging git hooks to achieve authenticated remote code execution. It automates repository creation, git hook manipulation, and payload delivery via git push.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GiTea versions >= 1.1.0 to <= 1.12.5
Auth required
Prerequisites: Valid GiTea credentials · Network access to the target GiTea instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Mohnad-AL-saif · poc
https://github.com/Mohnad-AL-saif/Gitea-Git-Hooks-RCE-CVE-2020-14144-

This repository contains a functional Python exploit for CVE-2020-14144, which allows authenticated users with git hook permissions to achieve remote code execution on Gitea instances. The exploit automates the creation of a malicious git hook and triggers it via a git push.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gitea versions 1.1.0 to 1.12.5
Auth required
Prerequisites: Valid Gitea credentials with git hook permissions · Network access to the target Gitea instance · Git installed on the attacker machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Podalirius, Christophe De La Fuente · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitea_git_hooks_rce.rb

This Metasploit module exploits CVE-2020-14144 in Gitea by leveraging insecure git hooks to achieve remote code execution. It authenticates, creates a repository, sets a malicious post-receive hook, and triggers it by creating a dummy file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gitea versions < 1.13.0 with DISABLE_GIT_HOOKS set to false
Auth required
Prerequisites: Valid Gitea credentials · Permission to create git hooks (default for admins)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Gitea 1.1.0 - 1.12.5 - Remote Code Execution
HIGHVERIFIEDby theamanrawat
Shodan: html:"Powered by Gitea Version" || http.html:"powered by gitea version" || http.title:"gitea" || cpe:"cpe:2.3:a:gitea:gitea"
FOFA: body="powered by gitea version" || title="gitea"

References (8)

Core 8
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/go-gitea/gitea/releases
Third Party Advisory x_refsource_misc
https://docs.gitlab.com/ee/administration/server_hooks.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/PandatiX/CVE-2021-28378
Third Party Advisory x_refsource_misc
https://github.com/go-gitea/gitea/pull/13058

Scores

CVSS v3 7.2
EPSS 0.9353
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
code.gitea.io/gitea 1.1.0 - 1.12.6Go
gitea/gitea 1.1.0 - 1.12.5
Published Oct 16, 2020
Tracked Since Feb 18, 2026