Attackers Exploited Gogs Zero-Day Flaw for Months
Summary
Wiz disclosed CVE-2025-8110, an unpatched bypass of a prior Gogs remote code execution (RCE) fix, allowing attackers to achieve code execution via symbolic link abuse in the PutContents API. The flaw undermines the earlier CVE-2024-55947 patch because the path validation fails to check the target of symlinks, letting attackers write outside the repository and overwrite sensitive files. Wiz observed active exploitation beginning 10 July, with a large automated campaign and dozens to hundreds of compromised instances; as of publication the vulnerability remained unpatched.
Key Points
- CVE-2025-8110 is a bypass of last year’s Gogs RCE patch (CVE-2024-55947) that exploits symbolic links to write outside a repo.
- Attackers create repositories with symlinks pointing outside the repo; PutContents then writes to those targets, enabling arbitrary code execution.
- Wiz detected first exploitation on 10 July; signs point to an automated “smash-and-grab” campaign with a single actor/tooling pattern (random 8-character repo names).
- Shodan scans found ~1,400 exposed Gogs instances and >700 compromised — an infection rate over 50% among exposed hosts identified by Wiz.
- Supershell (an open-source C2 used by some China-linked actors) was seen on at least one infected host, though attribution remains unclear.
- Vulnerable versions: Gogs at or below 0.13.3 with open registration enabled (default). No patch available at time of reporting.
- Immediate mitigations: disable open registration, limit internet exposure (VPN or allow-list), monitor for random 8-character repos and unexpected PutContents API activity.
Context and Relevance
Gogs is widely used for lightweight, self-hosted Git services and often sits exposed to the internet for collaboration. The original fix for a path traversal issue failed to account for symbolic links, a common Git behaviour, which turned a patched vulnerability back into an RCE. The high compromise rate and automated nature of the campaign mean organisations running Gogs on-premises or in small clouds face real and immediate risk. This also highlights a broader trend: fixes must consider edge behaviours (like symlinks) that developers and maintainers may assume are safe.
Why should I read this?
If you host Gogs (or manage on-prem/self-hosted Git services), this is one to drop everything for — or at least check your settings. The exploit is simple, automated, and widespread; disabling open registration and limiting exposure are quick wins that could stop an attacker in their tracks. We’ve done the digging so you don’t have to panic-search logs for hours.
Author style
Punchy: this is high-impact and time-sensitive. The article cuts to the chase — an unpatched bypass, active exploitation, and actionable mitigations — so read the detail if Gogs is in your estate.
Source
Source: https://www.darkreading.com/vulnerabilities-threats/attackers-exploited-gogs-zero-day-months
