CVE-2025-64175

High

Published: 06 February 2026

Published

06 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any…

unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires secure management of authenticators including user-scoped 2FA recovery codes, directly preventing cross-account bypass exploits.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like unscoped 2FA recovery code validation through patching to fixed versions such as 0.13.4.

AU-12 Audit Record Generation partial match

detect

AU-12 generates audit records for identification and authentication events, enabling detection of anomalous 2FA bypasses via cross-account recovery codes.

Security SummaryAI

CVE-2025-64175 is a vulnerability in Gogs, an open source self-hosted Git service, affecting versions 0.13.3 and prior. The issue lies in the 2FA recovery code validation mechanism, which fails to scope codes to specific users, allowing cross-account bypass. This flaw, classified under CWE-287 (Improper Authentication), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H).

An attacker with knowledge of a victim's username and password can exploit this by using any unused recovery code—for example, one generated from their own account—to bypass the victim's 2FA entirely. Successful exploitation results in full account takeover, undermining 2FA protections across all enabled environments.

The vulnerability has been addressed in Gogs versions 0.13.4 and 0.14.0+dev. Additional details on the patch and mitigation are available in the GitHub security advisory at https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj.

Details

CWE(s): CWE-287

Affected Products

gogs

≤ 0.13.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability is an authentication bypass in a public-facing Git web service (Gogs), directly enabling remote exploitation for account takeover via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj
Vendor Advisory · security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0