https://github.com/gogs/gogs offers a MIT-licensed self-hosted git service.
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit warns of
CVE-2025-8110, an as-yet-unfixed vulnerability in this service which they say
they are seeing being actively exploited.
It says:
Executive Summary
-----------------
While investigating a malware infection on a customer workload,
Wiz Research discovered an active zero-day vulnerability in Gogs,
a popular self-hosted Git service.
A symlink bypass (CVE-2025-8110) of a previously patched RCE
(CVE-2024-55947) allows authenticated users to overwrite files
outside the repository, leading to Remote Code Execution (RCE).
We identified over 700 compromised instances public-facing on the internet.
As of December 1, 2025, active exploitation is ongoing, and a
patch is not yet available.
Introduction
------------
On July 10th, the Wiz Threat Research team observed malware findings
on public-facing instances of Gogs, a popular self-hosted Git
service. What began as a routine investigation into an infected
machine turned into the accidental discovery of a live zero-day
vulnerability.
During our analysis of the exploitation attempts, we identified that
the threat actor was leveraging a previously unknown flaw to
compromise instances. We responsibly disclosed this vulnerability to
the maintainers. They are currently working on a fix, but active
exploitation continues in the wild. What is Gogs
Gogs is a popular self-hosted Git service written in Go. It provides a
lightweight alternative to GitLab or GitHub Enterprise and is popular
among developers for its ease of deployment and minimal resource
usage. Because it is self-hosted, it is frequently found in both
on-premise and cloud environments, often exposed to the internet to
enable remote collaboration.
The popularity of Gogs makes it a significant target. In our external
scan, we identified over 1,400 Gogs servers publicly exposed to the
internet. Many of these instances are configured with "Open
Registration" enabled by default, creating a massive attack surface
for the vulnerability described below.
What is CVE-2025-8110?
----------------------
CVE-2025-8110 is, effectively, a bypass for an earlier RCE vulnerability
(CVE-2024-55947) originally discovered by ManassehZhou.
The History (CVE-2024-55947)
----------------------------
The previous flaw abused a path traversal weakness in the PutContents
API. It allowed an attacker to write files outside the git repository
directory, granting the ability to overwrite sensitive system files or
configuration files to achieve code execution. The maintainers
addressed this by adding input validation on the path parameter.
The Bypass (CVE-2025-8110)
--------------------------
Unfortunately, the fix implemented for the previous CVE did not
account for symbolic links.
This new bypass relies on two key facts:
1. Git, and subsequently Gogs allows symbolic links to be used in git
repositories, and those symbolic links can point to objects
outside the repository
2. Gogs API allows file modification outside of the regular git
protocol, and its previous iteration of this implementation didn’t
properly check for symbolic link abuse.
The Gogs API allows file modification outside of the regular git
protocol, and while it now validates path names, it fails to validate
the destination of a symbolic link. Because Gogs respects standard Git
behavior, it allows users to commit symbolic links to repositories.
The vulnerability arises because the API writes to the file path
without checking if the target file is actually a symlink pointing
outside the repo. This effectively renders the previous path
validation useless if a symlink is involved.
The Attack Chain
-----------------
The exploitation process is trivial for any user with repository
creation permissions (enabled by default):
1. The attacker creates a standard git repository.
2. They commit a single symbolic link pointing to a sensitive target.
3. Using the PutContents API, they write data to the symlink. The system
follows the link and overwrites the target file outside the repository.
4. By overwriting .git/config (specifically the sshCommand), the
attacker can force the system to execute arbitrary commands.
[...]
Disclosure Timeline
-------------------
The patch status for this vulnerability is critical. Despite responsible
disclosure, the vulnerability remains unpatched in the main branch as of
this writing.
July 10, 2025: First indication of exploitation observed by Wiz.
July 15, 2025: Discovery of Supershell malware on a vulnerable machine.
July 17, 2025: Vulnerability reported to Gogs maintainers.
Oct 30, 2025: Acknowledgment of the vulnerability by Gogs maintainers.
Nov 1, 2025: A second wave of attacks observed in the wild.
Dec 10, 2025: The vulnerability has not yet been fixed.
Remediation & Mitigation
------------------------
Are you vulnerable? If you are running a Gogs server (version <= 0.13.3) that
is:
1. Exposed to the internet.
2. Has open-registration enabled (default setting).
Then you are vulnerable to CVE-2025-8110.
Immediate Actions:
1. If your instance does not require open-registration, disable this
immediately.
2. Limit internet exposure. Place self-hosted Git services behind a VPN
or use an allow-list for IP addresses.
3. Look for the creation of repositories with random 8-character names or
unexpected usage of the PutContents API.
The original blog post at
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
has further details, including images that are missing from the plain
text quotations above.
