The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a serious security vulnerability affecting Gogs, a self-hosted Git service. The flaw has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed real-world attacks.
The vulnerability, tracked as CVE-2025-8110 with a CVSS score of 8.7, stems from a path traversal issue within the Gogs repository file editor. If exploited, the flaw can allow attackers to achieve remote code execution on affected servers.
Technical Overview of the Vulnerability
According to CISA, the issue arises from improper symbolic link handling in the PutContents API. This weakness enables attackers to bypass security controls and write files outside the intended repository directory.
Security researchers explained that attackers can exploit the flaw by creating a Git repository containing a symbolic link pointing to a sensitive system file. When the PutContents API is abused, the operating system follows the symbolic link and overwrites the target file outside the repository scope.
This technique can be used to modify Git configuration settings, including the sshCommand option, effectively granting attackers the ability to execute arbitrary commands on the server.
Active Exploitation and Impact
Cloud security firm Wiz reported that the vulnerability has already been exploited in zero-day attacks. Their investigation identified approximately 700 compromised Gogs instances.
Data from attack surface management platform Censys indicates that around 1,600 Gogs servers are currently exposed to the internet. Most of these instances are located in China, followed by the United States, Germany, Hong Kong, and Russia.
Patch Status and Mitigation Guidance
At present, no official patch has been released to fully address CVE-2025-8110. However, Gogs maintainers have confirmed that corrective code changes have already been merged into the main development branch. Once new images are built, the vulnerability is expected to be resolved in future releases.
Until a fix becomes available, users are strongly advised to disable open user registration, restrict server access through VPNs or allow-lists, and closely monitor system activity for signs of compromise.
Federal Civilian Executive Branch (FCEB) agencies have been instructed by CISA to implement mitigations no later than February 2, 2026.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
