Unpatched Gogs Bug Actively Exploited, CISA Warns
▼ Summary
– A critical vulnerability (CVE-2025-8110) in the self-hosted Git service Gogs is being actively exploited, leading to its addition to CISA’s Known Exploited Vulnerabilities catalog.
– The flaw, which allows authenticated users to overwrite files and achieve remote code execution, stems from improper symbolic link handling in the PutContents API.
– Researchers discovered over 700 compromised instances, with attackers exploiting it as a zero-day since July 2025 to deploy malware linked to the Supershell C2 framework.
– There is no official patch yet, though fixes are in the project’s main branch and will be included in upcoming releases.
– CISA has issued a mitigation deadline for federal agencies, and all organizations are urged to restrict access, disable open registration, and monitor for signs of compromise.
A critical security vulnerability within the self-hosted Git platform Gogs is now under active exploitation, leading to an urgent advisory from the U.S. Cybersecurity and Infrastructure Security Agency. The agency has officially listed the flaw in its Known Exploited Vulnerabilities catalog, confirming that malicious actors are already leveraging it in real-world attacks. This designation underscores the immediate threat posed to organizations using the affected software.
Identified as CVE-2025-8110 and scoring a high 8.7 on the CVSS v4.0 severity scale, the weakness originates from an improper handling process for symbolic links within Gogs’s PutContents API. The core of the problem allows any user with authentication privileges to overwrite files located outside the boundaries of a designated repository. This action can be directly weaponized to achieve full remote code execution on the underlying server, granting attackers significant control.
Security researchers from Wiz discovered this vulnerability during an investigation into a malware incident on a client’s network. Their findings indicate that attackers were already exploiting the bug as a zero-day, effectively circumventing security measures implemented last year for a related issue, CVE-2024-55947. The attack method involves committing a symbolic link inside a repository and then using the API to write to it. This manipulates the server’s operating system into overwriting critical files elsewhere. A frequent target is the Git configuration file; by altering the sshCommand setting within it, attackers can execute any code they choose.
The scale of the issue is concerning. Wiz’s investigation revealed over 700 Gogs instances that had already been compromised. Broader internet scans from Censys indicate that approximately 1,602 Gogs servers remain publicly accessible online, with notable concentrations located in China, the United States, and Germany.
As of now, there is no official, released patch for CVE-2025-8110. However, code modifications designed to resolve the problem have been submitted to the project’s primary development branch. A project maintainer has noted that once new software images are built, the fix will be incorporated into both the latest and the immediately preceding Gogs releases.
Despite the pending fix, exploitation campaigns are ongoing. Researchers tracked multiple waves of malicious activity starting in July 2025, where threat actors deployed malware payloads associated with the Supershell command-and-control framework onto vulnerable servers.
In response, CISA has mandated that all Federal Civilian Executive Branch agencies implement protective measures by February 2, 2026. For other entities operating Gogs, security experts strongly recommend taking several defensive actions immediately. Organizations should disable open user registration if this feature is not strictly necessary and restrict access to Gogs servers through a virtual private network or an IP address allow-list. It is also crucial to monitor for suspicious indicators, such as newly created repositories with random eight-character names or anomalous API call patterns.
This vulnerability impacts all Gogs versions up to and including 0.13.3, putting any system running these releases at direct risk. Until a certified patch is distributed and applied, system administrators are advised to operate under the assumption that any internet-exposed Gogs instance is in imminent danger and to enact mitigations without delay.
(Source: InfoSecurity Magazine)
