Security researcher jvoisin found RCE, secrets leaks, and OAuth2 privesc chains in Forgejo in one evening, then published redacted PoC output instead of filing a CVE.
Key Takeaways
Attack surface included SSRF, missing CSP/Trusted-Types, weak cryptography, OAuth2 privilege escalation, TOCTOU races, and session/OTP auth flaws.
The RCE chain (chain_alpha.py) requires open registration and one non-default config option present on real instances; three additional exploit chains were also written.
“Carrot disclosure” publishes only the redacted PoC output to pressure vendors into a holistic audit, without handing attackers a ready exploit.
Forgejo inherited the vulnerability surface from Gitea; jvoisin had already found issues in Gitea previously, suggesting systematic problems rather than isolated bugs.
The researcher explicitly declined to submit pull requests or file through Forgejo’s Security Policy, framing the codebase as too broken for incremental patching.
Hacker News Comment Review
Early discussion centers on whether carrot disclosure is responsible here: the sole visible commenter found the attitude “off-putting” and argued the Forgejo security process is straightforward, not burdensome.
Critics note the PoC targets a locally hosted instance, raising questions about whether the demonstrated blast radius justifies skipping coordinated disclosure.
Notable Comments
@dangus: challenges the framing, calling the locally-run demo unimpressive and the all-caps Security Policy language a normal responsible-disclosure norm, not hostility.
