GHSA-6p9m-q3jp-47h4: Gogs: LFS dedupe path leaks private repo content across tenants
Summary
Gogs (a git hosting service) has a security flaw in its LFS (large file storage, a system for storing large files in git repositories) implementation where the deduplication shortcut skips hash verification, allowing any user with write access to one repository to claim ownership of LFS objects from private repositories they cannot access. An attacker can bind a file OID (object identifier, a unique hash) from a private repo to their own repo and download the private content through their own download endpoint.
Solution / Mitigation
The source text suggests two fixes: (1) In `LocalStorage.Upload`, when the file already exists on disk, hash the request body using `io.TeeReader` and return `ErrOIDMismatch` if the hash doesn't match the claimed OID, using the same verification code path as new file uploads. (2) As an optional second layer, in `serveUpload`, refuse to create the LFS object binding unless the OID is referenced by an LFS pointer in the requesting repository's refs (git history).
Vulnerability Details
EPSS: 0.0%
Yes
June 23, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-6p9m-q3jp-47h4
First tracked: June 23, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%