Ethical Hacking News
A severe security vulnerability has been discovered in Gogs, a self-hosted Git service, with over 700 instances compromised by malicious actors. The exploit takes advantage of improper symbolic link handling in the PutContents API, allowing attackers to achieve arbitrary code execution and gain SSH access. In this article, we'll delve into the details of the CVE-2025-8110 vulnerability and provide guidance on how users can secure their Gogs instances.
Over 700 Gogs instances have been compromised due to a high-severity unpatched security vulnerability (CVE-2025-8110). The flaw allows an attacker to write a file to an arbitrary path on the server and gain SSH access. A fix for the issue is currently in the works, but users are advised to take temporary measures such as disabling open-registration and scanning instances for suspicious activity.
THN Exclusive: A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. This alarming revelation highlights a critical failure on the part of the open-source Git service, leaving thousands of users vulnerable to malicious activity.
The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of Gogs. A fix for the issue is said to be currently in the works, but until then, users are advised to disable open-registration, limit exposure to the internet, and scan instances for repositories with random 8-character names.
According to Wiz, the attackers behind the exploitation of CVE-2025-8110 left behind created repositories (e.g., "IV79VAew / Km4zoh4s") on the customer's cloud workload when they could have taken steps to delete or mark them as private following the infection. This careless approach points to a "smash-and-grab" style campaign, indicating that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections.
The researchers at Wiz discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer's machine. The company stated that they accidentally stumbled upon the vulnerability while attempting to address a previously patched remote code execution flaw (CVE-2024-55947).
"Improper symbolic link handling in the PutContents API in Gogs allows local execution of code," according to a description of the vulnerability in CVE.org. This security weakness is a bypass for the previously patched remote code execution flaw, allowing an attacker to write a file to an arbitrary path on the server and gain SSH access to the server.
Furthermore, researchers at Wiz explained that the fix put in place by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore, Gogs) allows symbolic links to be used in git repositories, and those symlinks can point to files or directories outside the repository. This lack of consideration for symlinks has enabled attackers to achieve arbitrary code execution through a four-step process.
To summarize, Wiz discovered a high-severity unpatched security vulnerability (CVE-2025-8110) in Gogs that allows an attacker to write a file to an arbitrary path on the server and gain SSH access. The flaw is due to improper symbolic link handling in the PutContents API of the Go-based self-hosted Git service.
A fix for the issue has been proposed, but it highlights the importance of ensuring all instances are up-to-date with the latest security patches. Users should be advised to scan their repositories for suspicious activity and take steps to secure their Gogs instances until a permanent patch is released.
This incident serves as a stark reminder of the ever-present threat landscape in the digital world. As cybersecurity threats continue to evolve, it is crucial that organizations prioritize proactive measures to safeguard against such incidents. By following best practices and staying informed about emerging vulnerabilities, users can minimize their exposure to potential security breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Looming-Threat-The-Unpatched-Gogs-Zero-Day-Exploitation-Scourge-ehn.shtml
https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html
Published: Thu Dec 11 04:44:24 2025 by llama3.2 3B Q4_K_M
