The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has warned of lively exploitation of a high-severity security flaw impacting Gogs by including it to its Recognized Exploited Vulnerabilities (KEV) catalog.
The vulnerability, tracked as CVE-2025-8110 (CVSS rating: 8.7), pertains to a case of path traversal within the repository file editor that might end in code execution.
“Gogs Path Traversal Vulnerability: Gogs incorporates a path traversal vulnerability affecting improper Symbolic hyperlink dealing with within the PutContents API that might enable for code execution,” CISA stated in an advisory.
Particulars of the shortcoming got here to mild final month when Wiz stated it found it being exploited in zero-day assaults. The vulnerability basically bypasses protections put in place for CVE-2024-55947 to attain code execution by making a git repository, committing a symbolic hyperlink pointing to a delicate goal, and utilizing the PutContents API to write down information to the symlink.
This, in flip, causes the underlying working system to navigate to the precise file the symlink factors to and overwrites the goal file exterior the repository. An attacker may leverage this habits to overwrite Git configuration recordsdata, particularly the sshCommand setting, giving them code execution privileges.
Wiz stated it recognized 700 compromised Gogs situations. In line with information from the assault floor administration platform Censys, there are about 1,600 internet-exposed Gogs servers, out of which the vast majority of them are situated in China (991), the U.S. (146), Germany (98), Hong Kong (56), and Russia (49).
There are at present no patches that deal with CVE-2025-8110, though pull requests on GitHub present that the required code adjustments have been made. “As soon as the picture is constructed on foremost, each gogs/gogs:newest and gogs/gogs:next-latest could have this CVE patched,” one of many challenge maintainers stated final week.
Within the absence of a repair, Gogs customers are suggested to disable the default open-registration setting and restrict server entry utilizing a VPN or an allow-list. Federal Civilian Govt Department (FCEB) companies are required to use the required mitigations by February 2, 2026.
