Automated build from the latest commit on main branch. This release is updated automatically with every push to main.

Fixed

• Security: Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in [auth] TRUSTED_PROXY_IPS. #8264 - GHSA-w6j9-vw59-27wv
• Security: Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. #8263 - GHSA-c4v7-xg93-qf8g
• Security: Denial of service when rendering issue references against a malformed external issue tracker URL format. #8312 - GHSA-4j89-2c4f-44c6
• Security: Stored XSS in Jupyter notebook (.ipynb) preview through Markdown links with javascript: URLs. #8319 - GHSA-jq8v-rmf6-65jw
• Security: Missing authorization check on the attachment download endpoint allowed anyone who knew (or guessed) an attachment UUID to download files belonging to private repositories. #8320 - GHSA-p9f5-h3rx-j5qw
• Security: Organization team and member management actions accepted GET requests, allowing a logged-in owner to be tricked into adding an attacker to the Owners team via a crafted link. #8321 - GHSA-pwx3-qcgw-vh7h
• Security: SSRF via mirror address update bypassing clone address validation. #8225 - GHSA-wv27-2vqp-j7g5
• Security: Open redirect on login and other post-action flows via the redirect_to query parameter. #8322 - GHSA-xxhq-69mf-w8cr
• Security: Privilege escalation to repository owner via collaboration access mode update. #8227 - GHSA-4565-r4x7-hg8j
• Security: SSRF in repository migration and recurring mirror sync via HTTP redirects and stale host validation on stored mirror URLs. #8324 - GHSA-g2f5-gjr4-qjvm
• Security: Remote command execution via pull request rebase merges with crafted branch names. #8301 - GHSA-qf6p-p7ww-cwr9
• Security: Stored XSS in the milestone dropdown on the new issue page via crafted milestone names. #8325 - GHSA-vcm5-gvmp-78mp
• Security: Stored XSS in Jupyter notebook (.ipynb) preview through data:text/html URIs that bypassed the sanitizer. #8326 - GHSA-3w28-36p9-w929
• Security: Write-level collaborators could change admin-only repository settings (issue tracker, wiki, mirror sync) via API. #8327 - GHSA-268j-37xf-pp52
• Security: Password reset tokens stayed valid for the account-activation lifetime, ignoring [auth] RESET_PASSWORD_CODE_LIVES. #8328 - GHSA-5c3f-6486-3g7g
• Security: Stored XSS in Jupyter notebook (.ipynb) preview through raw HTML in markdown cells. #8330 - GHSA-6vxv-wg6j-5qwp
• Security: Read-only Git HTTP access could be confused with write access during repository pushes. #8331 - GHSA-wmfg-5p4h-5fw3
• Security: Arbitrary file write outside the repository working tree via crafted upload filename routed through a committed directory symlink. #8332 - GHSA-89mr-xqfv-758m
• Security: Cross-repository disclosure of Git LFS object contents by binding a known OID to another repository without proving possession of the bytes. #8333 - GHSA-6p9m-q3jp-47h4
• Security: Remote code execution via path traversal in organization names accepted through the API. #8334 - GHSA-c39w-43gm-34h5
• Security: Stalled SSH handshakes pinned a file descriptor and goroutine indefinitely. The built-in SSH server now drops connections that do not complete the handshake within 15 seconds. #8335 - GHSA-xp79-5mx3-jx52
• Security: Organization metadata and team list endpoints were reachable without authentication. #8336 - GHSA-744x-3838-5r56

Release candidate for 0.14.3. See CHANGELOG for the full list of changes.

Automated testing release for workflow development.

ℹ️ Heads up! There is a new patch release 0.14.3 available, we recommend directly installing or upgrading to that version.

Fixed

• Security: Cross-repository LFS object overwrite via missing content hash verification. #8166 - GHSA-gmf8-978x-2fg2
• Security: Stored XSS via data URI in issue comments. #8174 - GHSA-xrcr-gmf5-2r8j
• Security: Release tag option injection in release deletion. #8175 - GHSA-v9vm-r24h-6rqm
• Security: Stored XSS in branch and wiki views through author and committer names. #8176 - GHSA-vgvf-m4fw-938j
• Security: DOM-based XSS via issue meta selection on the issue page. #8178 - GHSA-vgjm-2cpf-4g7c
• Unable to update files via web editor and API. #8184

Removed

• Support for passing API access tokens via URL query parameters (token, access_token). Use the Authorization header instead. #8177 - GHSA-x9p5-w45c-7ffc

Release candidate for v0.14.2.

ℹ️ Heads up! There is a new patch release 0.14.3 available, we recommend directly installing or upgrading to that version.

Added

• Support comparing tags in addition to branches. #6141
• Show file name in browser tab title when viewing files. #5896
• Support using TLS for Redis session provider using [session] PROVIDER_CONFIG = ...,tls=true. #7860
• Support expanading values in app.ini from environment variables, e.g. [database] PASSWORD = ${DATABASE_PASSWORD}. #8057
• Support custom logout URL that users get redirected to after sign out using [auth] CUSTOM_LOGOUT_URL. #8089
• Start publishing next-generation, security-focused Docker image via gogs/gogs:next-latest, which will become the default image distribution (gogs/gogs:latest) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as gogs/gogs:legacy-latest starting 0.16.0, and be completely removed no earlier than 0.17.0. #8061

Changed

• The required Go version to compile source code changed to 1.25.
• The build tag cert has been removed, and the gogs cert subcommand is now always available. #7883
• Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. #7882
• Updated Mermaid JS to 11.9.0. #8009
• Halt the repository creation and leave the directory untouched if the repository root already exists. #8091

Fixed

• Security: Unauthenticated file upload. #8128 - GHSA-fc3h-92p8-h36f
• Security: Protected branch bypass in web UI. #8124 - GHSA-2c6v-8r3v-gh6p
• Security: Authorization bypass allows cross-repository label modification. #8123 - GHSA-cv22-72px-f4gh
• Security: Cross-repository comment deletion. #8119 - GHSA-jj5m-h57j-5gv7
• 500 error on repository watchers and stargazers pages when using MSSQL. #5482
• Submodules using ssh:// protocol and a port number are not rendered correctly. #4941
• Missing link to user profile on the first commit in commits history page. #7404
• Unable to delete or display files with special characters in their names. #7596
• Docker healthcheck fails when HTTP_PROXY or HTTPS_PROXY environment variables are set. #7529

ℹ️ Heads up! There is a new patch release 0.14.3 available, we recommend directly installing or upgrading to that version.