CVE-2022-39205: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a One...

Description

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.76%

75.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Onedev Project	Onedev	< 7.3.0

References

https://blog.sonarsource.com/onedev-remote-code-execution/Exploit, Third Party Advisory
https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8ePatch, Third Party Advisory
https://github.com/theonedev/onedev/releases/tag/v7.3.0Release Notes, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2Third Party Advisory
https://blog.sonarsource.com/onedev-remote-code-execution/Exploit, Third Party Advisory
https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8ePatch, Third Party Advisory
https://github.com/theonedev/onedev/releases/tag/v7.3.0Release Notes, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2Third Party Advisory

Timeline

Published: Sep 13, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39205?

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue.

How severe is CVE-2022-39205?

CVE-2022-39205 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.76% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39205?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.