Stored XSS Vulnerability in Gogs Open Source Git Service
CVE-2025-47943

6.3MEDIUM

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2025

What is CVE-2025-47943?

Gogs, a self-hosted Git service, is facing a stored cross-site scripting (XSS) vulnerability that enables the execution of client-side JavaScript code in versions prior to 0.14.0+dev. The root cause of this vulnerability resides in the outdated pdfjs-1.4.20 component located in public/plugins/. This flaw can be exploited to perform various malicious actions against users interacting with the affected service. Gogs has addressed this issue in version 0.13.3, encouraging users to update to the latest release to ensure their services remain secure.

Affected Version(s)

gogs <= 0.14.0+dev

References

https://github.com/gogs/gogs/security/advisories/GHSA-xh3...
x_refsource_CONFIRM
https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c8...
x_refsource_MISC
https://github.com/gogs/gogs/releases/tag/v0.13.3
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-47943 : Stored XSS Vulnerability in Gogs Open Source Git Service