{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Organization (owner) name containing ../ path-traversal sequences, supplied via the Gogs HTTP API (POST /api/v1/admin/users/:user/orgs); plus an executable Git hook (nested/rce.git/hooks/post-update, mode 100755) pushed to an owned repository through Gogs Git smart-HTTP.",
  "trigger_path": "Gogs HTTP API creates a ../-traversal organization -> nested bare repo written outside the repository ROOT, inside another repo's local worktree (<APP_DATA_PATH>/tmp/local-r/<id>) -> attacker pushes an executable post-update hook to the outer repo via Gogs Git smart-HTTP -> a Gogs web-upload sync (UpdateLocalCopyBranch: git fetch + reset --hard) materialises the executable hook into the nested bare repo's hooks/ -> a real git receive-pack on the planted bare repo executes the attacker's hook as the Gogs service user (RCE). Fixed 0.14.3 rejects the traversal organization (HTTP 422) via pathutil.Clean, so no nested repo and no execution.",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
