Jan 13, 2026Ravie LakshmananVulnerability / Community Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has warned of energetic exploitation of a high-severity safety flaw impacting Gogs by including it to its Identified Exploited Vulnerabilities (KEV) catalog.
The vulnerability, tracked as CVE-2025-8110 (CVSS rating: 8.7), pertains to a case of path traversal within the repository file editor that would lead to code execution.
“Gogs Path Traversal Vulnerability: Gogs accommodates a path traversal vulnerability affecting improper Symbolic hyperlink dealing with within the PutContents API that would permit for code execution,” CISA stated in an advisory.
Particulars of the shortcoming got here to gentle final month when Wiz stated it found it being exploited in zero-day assaults. The vulnerability basically bypasses protections put in place for CVE-2024-55947 to attain code execution by making a git repository, committing a symbolic hyperlink pointing to a delicate goal, and utilizing the PutContents API to write down information to the symlink.
This, in flip, causes the underlying working system to navigate to the precise file the symlink factors to and overwrites the goal file outdoors the repository. An attacker might leverage this habits to overwrite Git configuration information, particularly the sshCommand setting, giving them code execution privileges.
Wiz stated it recognized 700 compromised Gogs cases. In accordance with information from the assault floor administration platform Censys, there are about 1,600 internet-exposed Gogs servers, out of which nearly all of them are situated in China (991), the U.S. (146), Germany (98), Hong Kong (56), and Russia (49).
There are at the moment no patches that tackle CVE-2025-8110, though pull requests on GitHub present that the required code modifications have been made. “As soon as the picture is constructed on important, each gogs/gogs:newest and gogs/gogs:next-latest could have this CVE patched,” one of many challenge maintainers stated final week.
Within the absence of a repair, Gogs customers are suggested to disable the default open-registration setting and restrict server entry utilizing a VPN or an allow-list. Federal Civilian Government Department (FCEB) companies are required to use the required mitigations by February 2, 2026.
