Security researcher jvoisin conducted an informal audit of Forgejo (the Git forge now used by Fedora) and found numerous vulnerabilities in a single evening: SSRF, missing CSP/Trusted-Types, cryptographic malpractices, OAuth2 privilege escalation, authentication flaws, DoS vectors, and information leaks. These were chained into a working RCE proof-of-concept. Rather than following standard responsible disclosure, the author uses 'carrot disclosure' — publishing redacted exploit output to pressure the vendor into a holistic security audit without revealing the full exploit chain. The PoC output confirms command execution on the target server.
Sort: