A high-severity security flaw affecting the self-hosted Git service Gogs is being actively exploited, prompting a warning from the US Cybersecurity and Infrastructure Security Agency (CISA).
The issue has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed attacks in real-world environments.
Tracked as CVE-2025-8110 and rated 8.7 on the CVSS v4.0 scale, the vulnerability stems from improper handling of symbolic links in Gogs’ PutContents API.
The flaw allows authenticated users to overwrite files outside a repository, which can lead directly to remote code execution (RCE).
Exploitation at Scale
The vulnerability was uncovered by Wiz researchers while investigating a malware infection on a customer’s system. Their analysis revealed that attackers were abusing the flaw as a zero-day, bypassing protections introduced last year for a similar issue, CVE-2024-55947.
By committing a symbolic link inside a repository and then writing to it through the API, attackers can force the underlying operating system to overwrite sensitive files elsewhere on the server. One common target is the Git configuration file, where modifying the sshCommand setting can grant arbitrary code execution.
Wiz reported identifying more than 700 compromised Gogs instances. Data from Censys suggests 1602 Gogs servers are currently exposed to the internet, with the highest concentrations in China, the US and Germany.
Ongoing Risk
There is currently no official patch available for CVE-2025-8110, although code changes addressing the issue have been submitted to the project’s main branch.
One maintainer indicated that once new images are built, both the latest and next-latest Gogs releases will include a fix.
Read more on Git service security: Misconfigured Git Configurations Targeted in Emeraldwhale Attack
In the meantime, attackers continue to exploit the flaw. Wiz observed multiple waves of activity beginning in July 2025, with malware payloads linked to the Supershell command-and-control (C2) framework deployed across affected servers.
Recommended Mitigations
CISA has directed Federal Civilian Executive Branch agencies to apply mitigations by February 2 2026. For other organizations running Gogs, researchers recommend immediate defensive steps:
-
Disable open registration if it is not required
-
Restrict access to Gogs servers using a VPN or IP allow-list
-
Monitor for repositories with random eight-character names or unusual API usage
The vulnerability affects Gogs versions up to 0.13.3 and can be exploited on any system running those releases. Until a patch is widely available, administrators are urged to assume exposed instances are at high risk and act accordingly.
