CRITICALCVE-2022-1992CVSS 9.1

CVE-2022-1992: Path Traversal in Gogs

Platform

Component

gogs.io/gogs

Fixed in

0.12.9

AI Confidence: highNVDEPSS 1.7%Reviewed: May 2026

View on NVD

Save

CVE-2022-1992 is a critical Path Traversal vulnerability discovered in Gogs, a self-hosted Git service. This flaw allows attackers to read arbitrary files on the server, potentially exposing sensitive data like configuration files or source code. The vulnerability impacts versions of Gogs prior to 0.12.9, and a patch is available to address the issue.

Impact and Attack Scenarios

The impact of this vulnerability is significant. An attacker exploiting CVE-2022-1992 can leverage the file editor functionality to traverse directories and access files outside of the intended scope. This could lead to the exposure of sensitive information, including database credentials, API keys, and private repositories. Successful exploitation could also facilitate further attacks, such as code execution if configuration files contain sensitive scripts or commands. The blast radius extends to any data stored on the server accessible by the Gogs process.

Exploitation Context

CVE-2022-1992 was published on August 21, 2024. While no active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation make it a potential target. There are currently no known public proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

1.69% (82% percentile)

CVSS Vector

Affected Software

Componentgogs.io/gogs

Vendorosv

Affected rangeFixed in

unspecified – 0.12.90.12.9

—0.12.9

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2022-06-03
Published2024-08-21
Modified2026-03-03
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2022-1992 is to upgrade Gogs to version 0.12.9 or later. If an immediate upgrade is not feasible, consider restricting access to the file editor functionality through firewall rules or access control lists. Monitor file system activity for suspicious access patterns. There are no specific WAF rules or detection signatures readily available, so focus on prompt patching and access control. After upgrading, confirm the fix by attempting to access files outside the intended directory via the file editor; access should be denied.

How to fix

Update Gogs to version 0.12.9 or later. This version contains the fix for the path traversal vulnerability. The update can be performed by downloading the new version and following the upgrade instructions provided by Gogs.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-1992 — Path Traversal in Gogs?

CVE-2022-1992 is a critical vulnerability in Gogs allowing attackers to read arbitrary files on the server through the file editor. It affects versions before 0.12.9.

Am I affected by CVE-2022-1992 in Gogs?

You are affected if you are running Gogs version 0.12.9 or earlier. Check your Gogs version and upgrade immediately if necessary.

How do I fix CVE-2022-1992 in Gogs?

Upgrade Gogs to version 0.12.9 or later to patch the vulnerability. If upgrading is not immediately possible, restrict access to the file editor.

Is CVE-2022-1992 being actively exploited?

No active exploitation campaigns have been publicly reported, but the vulnerability's severity makes it a potential target.

Where can I find the official Gogs advisory for CVE-2022-1992?

Refer to the Gogs release notes and security advisories on the official Gogs website: https://gogs.io/.