CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40
https://github.com/gogs/gogs/releases/tag/v0.13.3
https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf
https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v

Configurations

No configuration.

History

No history.

Information

Published : 2025-06-24 04:15

Updated : 2025-07-30 18:15

NVD link : CVE-2025-47943

Mitre link : CVE-2025-47943

CVE.ORG link : CVE-2025-47943

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-47943", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.1}]}, "published": "2025-06-24T04:15:46.743", "references": [{"url": "https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40", "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.13.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v", "source": "security-advisories@github.com"}, {"url": "https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf", "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3."}, {"lang": "es", "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. En la versi\u00f3n 0.14.0+dev y anteriores de la aplicaci\u00f3n, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en Gogs, que permite la ejecuci\u00f3n de c\u00f3digo Javascript del lado del cliente. La vulnerabilidad se debe al uso de un componente vulnerable y obsoleto: pdfjs-1.4.20, ubicado en public/plugins/. Este problema se ha corregido para gogs.io/gogs en la versi\u00f3n 0.13.3."}], "lastModified": "2025-07-30T18:15:40.640", "sourceIdentifier": "security-advisories@github.com"}