CISA Mandates Urgent Patch for Actively Exploited Gogs Flaw

A critical security flaw in the popular Gogs self-hosted Git service is now under active exploitation, prompting an urgent federal mandate for patching. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed all government agencies to secure their systems against this high-severity vulnerability, which attackers have already leveraged in zero-day assaults. Gogs, a lightweight platform often used for remote software development collaboration, presents a significant risk when exposed online without proper safeguards.

The issue, identified as CVE-2025-8110, is a remote code execution flaw. It originates from a path traversal weakness within the platform’s PutContents API. This vulnerability essentially allows authenticated users to bypass security fixes made for a previous bug, tracked as CVE-2024-55947. The exploit works by using symbolic links, special files that point to other locations, to write data outside the intended repository boundaries. By targeting and overwriting specific Git configuration files, particularly the sshCommand setting, an attacker can manipulate the system into running arbitrary commands of their choice.

Security firm Wiz Research uncovered the vulnerability in July while responding to a malware infection on a client’s internet-facing Gogs server. They reported their findings to the Gogs maintainers on July 17. The maintainers acknowledged the report in late October and subsequently released patches last week. These updates introduce symlink-aware path validation to prevent unauthorized file writes. According to a timeline provided by Wiz, a second wave of attacks exploiting this flaw as a zero-day was detected on November 1.

The investigation revealed a troubling landscape. Researchers found more than 1,400 Gogs servers accessible from the public internet, with over 1,250 still exposed and more than 700 instances displaying indicators of potential compromise. This widespread exposure significantly amplifies the risk posed by the unpatched vulnerability.

In response to the active threats, CISA has formally added CVE-2025-8110 to its catalog of known exploited vulnerabilities. The agency has issued a binding directive, requiring all Federal Civilian Executive Branch (FCEB) agencies, including departments like Energy, Justice, and Homeland Security, to apply the available patches by February 2, 2026. CISA emphasized that such flaws are common vectors for malicious activity and pose a substantial danger to federal networks. The guidance instructs agencies to implement vendor-provided mitigations or, if none are available, to stop using the affected software entirely.

For administrators and organizations using Gogs, immediate action is crucial beyond applying the patch. Security experts strongly recommend disabling the default open-registration setting to prevent unauthorized account creation. Furthermore, access to Gogs servers should be restricted, ideally through a virtual private network (VPN) or a strict IP allow list, to minimize the attack surface. To check for potential compromises, administrators should audit their systems for suspicious activity involving the PutContents API and look for repositories created with random eight-character names during the known attack periods in July and November.

(Source: Bleeping Computer)