| ▲ | bmitch3020 2 days ago | |
Forgejo has responded: > The author of the recent 'Carrot disclosure' blog post has contacted the Forgejo Security team with their findings. The issues raised concern defence-in-depth improvements and denial-of-service risks. There is no known RCE exploit possible without internal server credentials. > We believe these findings can be addressed publicly. The security team will open issues where approaches to implement new defensive measurements will be discussed, we believe there's no single answer and as such appreciate the opinion of other Forgejo contributors on this matter. | ||
| ▲ | throwa356262 a day ago | parent [-] | |
Okay, this sounds familiar. If you run Claude Opus 4.6 at max settings on forgejo repo, it will give you a bunch of RCE's ... that need prior knowledge of the server internal token :) You have to tell the stupid LLM that these attacks doesn’t make sense. The author seem to be a experienced security researcher. I am surprised he didn't catch this. | ||