The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw affecting Gogs to its Known Exploited Vulnerabilities (KEV) catalog, warning that it can be actively exploited.
This vulnerability is tracked as CVE-2025-8110 (CVSS score: 8.7) and is related to a path traversal case in the repository file editor, which could lead to code execution.
“Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability that affects improper handling of symbolic links in the PutContents API, potentially allowing code execution,” CISA said in an advisory.
Details of the flaw were revealed last month when Wiz announced that it had discovered it being exploited in a zero-day attack. This vulnerability essentially executes code by creating a Git repository, committing a symbolic link pointing to a sensitive target, and writing data to the symbolic link using the PutContents API, bypassing the protections put in place for CVE-2024-55947.
This causes the underlying operating system to navigate to the actual file pointed to by the symbolic link, overwriting the target file outside of the repository. An attacker could use this behavior to override Git configuration files, specifically sshCommand settings, giving them permission to execute code.
Wiz said it has identified 700 compromised Gogs instances. According to data from attack surface management platform Censys, there are approximately 1,600 Gogs servers exposed to the internet, with the majority located in China (991), the United States (146), Germany (98), Hong Kong (56), and Russia (49).
There is currently no patch to address CVE-2025-8110, but a pull request on GitHub indicates that the necessary code changes have been made. “When the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will be patched with this CVE,” one of the project’s maintainers said last week.
In the absence of a fix, we recommend that Gogs users disable the default open enrollment settings and restrict server access using a VPN or allowlist. Federal Civilian Executive Branch (FCEB) agencies have until February 2, 2026 to apply the necessary mitigation measures.
Source link
