Security researcher found a full RCE chain in Forgejo in one evening via chained SSRF, auth flaws, and crypto issues, publishing only redacted output as “carrot disclosure” pressure.
Key Takeaways
Vulnerabilities span SSRF in many locations, absent CSP/Trusted-Types, JS templating bugs, cryptographic malpractices, OAuth2/OTP/session flaws, DoS, info leaks, and TOCTOU races.
RCE chain creates a backdoor admin account and executes commands via server-side git hook; requires open registration plus one non-default config option present on real instances.
Carrot disclosure: researcher publishes only the redacted exploit terminal output plus a SHA256 hash of the withheld PoC, not the exploit itself, to force a vendor-side audit.
Five scripts exist (chain_alpha/beta/gamma, leak_secrets, merge) plus an 83KB NOTES.md; all withheld pending Forgejo response.
Researcher argues the codebase is shallow enough that a second RCE chain is a matter of another evening, framing the fix burden as structural, not patch-by-patch.
Hacker News Comment Review
Skeptics note the two actual PRs filed are trivial (quote escaping, OAuth PKCE enforcement), not vuln reports, making the public pressure framing look like grandstanding without direct disclosure.
Forgejo’s governance doc explicitly threatens to publicly criticize researchers who deviate from their required disclosure process, which likely explains the adversarial tone on both sides.
One commenter raised a pointed concern: in the LLM era, publishing exploit context plus the open Forgejo codebase may effectively be full disclosure since a capable model could reconstruct the chain.
Notable Comments
@gchamonlive: argues that with the provided context and Forgejo’s public codebase, Codex could likely reproduce the vuln chain, making carrot disclosure functionally equivalent to full disclosure in 2026.
@throwaway38294: self-hosts Forgejo on LAN only and advises against any public exposure, treating the finding as confirmation of an existing operational posture.
