CVE-2024-39930

CRITICAL

Gogs < 0.13.0 - Authenticated Remote Code Execution via SSH --split-string Argument Injection

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2024-39930. PoCs published by cybersploit, adminlove520, laachy.

AI-analyzed exploit summary This exploit leverages an SSH argument injection vulnerability in Gogs (CVE-2024-39930) to achieve remote code execution. It automates the process of obtaining an API token, creating a repository, adding an SSH key, and executing arbitrary commands via a crafted SSH session.

Description

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

Exploits (5)

exploitdb WORKING POC

by cybersploit · pythonremotemultiple

https://www.exploit-db.com/exploits/52348

View Code ZIP pw:eip

This exploit leverages an SSH argument injection vulnerability in Gogs (CVE-2024-39930) to achieve remote code execution. It automates the process of obtaining an API token, creating a repository, adding an SSH key, and executing arbitrary commands via a crafted SSH session.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gogs <= 0.13.0

Auth required

Prerequisites: Valid Gogs credentials · SSH key pair · Network access to the Gogs instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2024/CVE-2024-39930

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-39930, including a Python script (`exploit.py`) that demonstrates the vulnerability. The exploit targets an authentication bypass in TOTOLINK devices by manipulating the `authCode` parameter.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350 (V9.3.5u.6369_B20220309) and TOTOLINK T6 (V4.1.5cu.748_B20211015)

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by laachy · poc

https://github.com/laachy/CVE-2024-39930-ptrace-detection-mitigation

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2024-39930, which mitigates ptrace-based detection by intercepting and denying specific execve syscalls. The code uses ptrace to monitor and manipulate process execution, particularly targeting commands with split-string options.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Linux systems with ptrace-based monitoring

No auth needed

Prerequisites: Access to a Linux system with ptrace capabilities · Ability to attach to target processes

MITRE ATT&CK

T1055 - Process Injection T1110 - Brute Force

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by alexander47777 · poc

https://github.com/alexander47777/-CVE-2024-39930

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-39930, targeting Gogs versions <= 0.13.0. The exploit leverages SSH argument injection to achieve remote code execution by uploading an SSH key and executing commands via the git-upload-pack mechanism.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gogs <= 0.13.0

Auth required

Prerequisites: Valid Gogs credentials · SSH key pair · Network access to target Gogs instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by theMcSam · poc

https://github.com/theMcSam/CVE-2024-39930-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-39930, targeting Gogs' SSH server to achieve remote code execution (RCE) via argument injection. The exploit automates API token acquisition, repository creation, SSH key management, and command execution through a crafted SSH session.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gogs <= 0.13.0

Auth required

Prerequisites: Valid Gogs credentials · SSH key pair · Network access to Gogs instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes

https://github.com/gogs/gogs/releases

Third Party Advisory

https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-39930

Scores

CVSS v3 9.9

EPSS 0.1188

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-88

Status published

Products (2)

gogs/gogs < 0.13.0

gogs.io/gogs 0 - 0.13.1Go

Published Jul 04, 2024

Tracked Since Feb 18, 2026