The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a high-severity vulnerability in the Gogs self-hosted Git service, confirming that the flaw is being actively exploited in the wild with no official patch currently available for administrators. The issue, now added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscores the significant risk posed to organizations relying on this popular, lightweight Git solution. Tracked as CVE-2025-8110 and assigned a severe 8.7 rating on the CVSS v4.0 scale, the vulnerability originates from an improper handling of symbolic links within Gogs’ PutContents API. This fundamental error allows an authenticated attacker to write and overwrite arbitrary files outside the confines of a designated repository. Such a capability can be directly escalated into full remote code execution (RCE), granting threat actors complete control over the compromised server and any sensitive source code or infrastructure secrets it may contain, posing an immediate and substantial threat to an organization’s operational integrity and intellectual property.
1. Uncovering Widespread Exploitation
The vulnerability’s active exploitation was first brought to light by security researchers at Wiz, who discovered the zero-day attack while investigating a malware infection on a customer’s system. Their in-depth analysis revealed that threat actors were systematically abusing the flaw, effectively bypassing security measures that had been implemented in the previous year to address a similar vulnerability, CVE-2024-55947. The attack vector is deceptively simple yet highly effective: an attacker with valid credentials commits a symbolic link within a repository and then uses the vulnerable API to write to that link. This action tricks the underlying operating system into following the link and overwriting a targeted file located elsewhere on the server. A primary target observed in these attacks is the core Git configuration file, where modifying the sshCommand setting allows adversaries to execute arbitrary commands with the privileges of the Gogs service account. Wiz reported identifying over 700 compromised Gogs instances, while data from the threat intelligence platform Censys indicates that 1602 Gogs servers are currently exposed to the internet, with the highest concentrations located in China, the United States, and Germany.
2. Addressing the Unpatched Threat
In response to the confirmed attacks, CISA has directed all Federal Civilian Executive Branch agencies to apply mitigations by February 2, 2026, a clear signal of the vulnerability’s severity. At present, no official patch has been released for CVE-2025-8110, leaving all Gogs versions up to and including 0.13.3 susceptible to attack. While code changes addressing the symbolic link handling have been committed to the project’s main development branch, a stable, distributable fix is not yet available. A project maintainer has indicated that once new software images are built, a patch will be included in both the latest and the next-latest Gogs releases. Until then, organizations are strongly urged to implement immediate defensive measures. Recommended mitigations include disabling open registration if it is not a business requirement, which prevents new, potentially malicious accounts from being created. Additionally, access to Gogs servers should be strictly limited by placing them behind a VPN or enforcing a rigorous IP allow-list. Administrators were also advised to actively monitor for indicators of compromise, such as the appearance of new repositories with random eight-character names or unusual and unexpected API usage patterns. This incident ultimately served as a stark reminder of the inherent risks in unpatched, internet-facing infrastructure and the critical need for constant vigilance and layered security controls.
