A security researcher discovered multiple critical vulnerabilities in Forgejo, including SSRF, RCE, and authentication flaws, after Fedora migrated to the platform. The researcher opted for 'carrot disclosure' by publishing a redacted exploit to pressure Forgejo into conducting a holistic security audit. The vulnerabilities are chainable but rely on non-default configurations, reducing immediate widespread risk.
Background
Forgejo is a community-driven fork of Gitea, a popular open-source Git hosting solution, often used as an alternative to GitHub. Fedora recently migrated its code hosting from Pagure to Forgejo, increasing its visibility and scrutiny.
- Source
- Lobsters
- Published
- Apr 29, 2026 at 04:58 AM
- Score
- 7.0 / 10