More than 700 Gogs instances have been compromised via an unpatched zero-day vulnerability in the self-hosted Git service, cybersecurity firm Wiz warns.
Tracked as CVE-2025-8110, the exploited security defect is described as an improper symbolic link handling issue in the PutContents API.
The weakness allows authenticated attackers to overwrite files outside the repository and achieve remote code execution, explains Wiz, which identified and reported the bug in July.
The issue, the cybersecurity outfit explains, is a symlink bypass of CVE-2024-55947, a path traversal flaw in the Gogs file update API.
Patched in December 2024 in Gogs version 0.13.1, CVE-2024-55947 allowed attackers to write files to arbitrary paths on the server, such as sensitive system files or configuration files.
Successful exploitation of the vulnerability would provide attackers with SSH access to the affected servers.
The fix for the flaw added input validation on the path parameter, but did not account for symbolic links, and threat actors have been abusing this attack vector for months.
This is possible because Git and Gogs support the use of symbolic links, which may point to objects outside the repository, and the Gogs API enables the modification of files outside the git protocol. Additionally, the Gogs API does not validate the destination of a symbolic link.
“Because Gogs respects standard Git behavior, it allows users to commit symbolic links to repositories. The vulnerability arises because the API writes to the file path without checking if the target file is a symlink pointing outside the repo. This effectively renders the previous path validation useless if a symlink is involved,” Wiz explains.
To exploit the vulnerability, threat actors create new Git repositories, commit a symbolic link pointing to a sensitive target, write data to the symlink using the PutContents API, and overwrite .git/config to achieve arbitrary command execution.
According to Wiz, there are over 1,400 exposed Gogs instances and threat actors have compromised more than 700 to date.
“All infected instances shared the same pattern: 8-character random owner/repo names created within the same short time window (July 10th). This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections,” Wiz explains.
All Gogs servers running version 0.13.3 or older are vulnerable to CVE-2025-8110 if they are exposed to the internet and have open-registration enabled.
The Gogs maintainers are working on a fix for this vulnerability, but as of December 10, no patch is available.
Related: IBM Patches Over 100 Vulnerabilities
Related: Google Patches Mysterious Chrome Zero-Day Exploited in the Wild
Related: Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data
Related: Fortinet Patches Critical Authentication Bypass Vulnerabilities
