After Fedora migrated from Pagure to Forgejo, a security reviewer spent an evening probing the platform’s codebase. The audit uncovered server‑side request forgery across multiple endpoints, missing CSP/Trusted‑Types, ad‑hoc JavaScript templating, weak cryptography, and sloppy OAuth2, OTP and session handling. Low‑effort denial‑of‑service vectors and information leaks dotted the surface, indicating a systemic security deficit overall.

Chaining these flaws yielded a full remote code execution (RCE) path that also exposed admin credentials, secret tokens and allowed OAuth2 privilege escalation. The exploit depends on open user registration and a non‑default configuration flag present on several public instances, limiting its practical impact but proving the codebase is exploitable. The researcher opted for a “carrot disclosure” model, publishing only redacted proof to pressure the project.

Forgejo’s maintainers acknowledge the findings via their published security policy, which outlines mandatory remediation steps. While the disclosed chain demonstrates a breach, the project can still remediate without a mass migration away from the platform. This episode underscores the risks of adopting freshly ported open‑source services without a thorough hardening phase, reminding operators to audit configurations before production rollout.