7
Remote Code Execution in Forgejo?
(dustri.org)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 29 Apr 2026
7 points (81.8% liked)
Selfhosted
59464 readers
68 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
Edit: I hate to remove comments and it may get me banned but due to the hate speech I'm receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I'm going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
Forgejo has a responsible disclosure policy, but this person seems like they just don't want to deal with that and instead opted for the nuclear option immediately.
Edit: I hate to remove comments and it may get me banned but due to the hate speech I'm receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I'm going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
Erm, did you read them? The policies aren't complex at all, just submit the issue (and proposed fix if there is one) through a secure channel, that they're happy to help set up. If you want to disclose the vulnerability, just wait until the embargo passes so there's time to fix and have users update. There's not really anything else you need to do here. This is pretty standard stuff that this person just seemed too lazy to participate in.
Of the three fixes submitted, only a single one was closed since it didn't seem very major and would be a breaking change (which shouldn't be made without prior discussion). The other two are still open, and a maintainer is helping to add tests for the fixes (since the author didn't add them). The only comment that was somewhat negative was that security fixes should preferably follow the established guidelines. That's all.
Yea. But did you read the security.md?
https://codeberg.org/forgejo/governance/src/branch/main/SECURITY-POLICY.md
Use an encrypted email to security@forgejo.org. If you can't, tell them and they will set one up.
Seems very assholeish to not at least do that.
I don’t think you read the article.
Did you miss this part
Sounds like him being lazy.
Your comment said Forgejo has a disclosure process. The article says the author went with a carrot disclosure after reading the disclosure process and making a value judgement. Because your comment only mentioned Forgejo having a disclosure process, not an evaluation of the author’s evaluation of the disclosure process, it made you appear as if you had not read the article.
In your response to me calling that out, you offer an analysis. The author is lazy for using carrot disclosure over the defined disclosure process. That’s a valid take. I’m not going to disagree with that.
Edit: I hate to remove comments and it may get me banned but due to the hate speech I'm receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I'm going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.
Alternatively, they could have sent the security team an email with the 'carrot' and saying "There seems to be fundamental, systemic, security issues in Forgejo; here's some proof. There's too much for me to raise individual reports, what are we going to do about it?"
Can you please point out the hate speech you received? I can't find any in the comments here, just people having different opinions.
As the time of writing the comment I am replying to has 15 up- and 3 downvotes. Doesn't look like it has warranted hate speech.
They were DMed to me, and was disagreeing with me on this subject and then using anti-trans slurs. I got a bunch all in a short period, so I'm guessing a single actor or anti-trans group using multiple accounts. But I decided it wasn't worth my emotional energy to keep the comments up and have others do the same. Sucks that some people can't have discussions without finding something they hate about you and using that to make themselves feel superior when they dont have any real argument to make other than "you're wrong".
Honestly, I abandoned my lemmy.world account last year when Serinus changed the moderation policy that the "narrative" that trans people are not real or are mentally ill or whatever to not be considered hate speech and thus not to be removed automatically, following the similar change at Facebook. I guess I should continue to steer clear of the server since it seems it has given bigots a feeling that they aren't the bad guy as I argued it would just like it did with Facebook, X, and the others. Sucks that we can't live in peace. And that's all I'll say on the matter as I dont have the energy to convince anyone that trans people do exist, it's widely accepted medical science from all unbiased medical organizations and it is definitely as much hate speech so say a trans person isn't their gender as it is to say a black person is a non-human primate.