Unpatched Gogs Vulnerability Under Active Exploitation

Unpatched Gogs Vulnerability Under Active Exploitation

Security researchers at Wiz have disclosed CVE-2025-8110, a critical vulnerability affecting self-hosted Gogs, a popular lightweight Git service widely used in on-prem and cloud environments.

This flaw is a bypass of a previously patched RCE vulnerability (CVE-2024-55947). While the original issue addressed path traversal, the fix failed to account for symbolic link abuse, allowing attackers to overwrite sensitive files outside the repository and execute arbitrary commands.

🔓 Why this is dangerous

• Gogs is often exposed to the internet for collaboration
• The attack chain is simple and fully automated
• Wiz identified 700+ compromised instances out of ~1,400 exposed
• Infections show identical patterns, suggesting a single coordinated actor
• Supershell C2, previously linked to China-based threat actors, was detected

🧬 How the attack works

Attackers:

1. Create a repository
2. Commit a symbolic link pointing outside the repo
3. Abuse the PutContents API to overwrite sensitive system files
4. Achieve remote code execution

The presence of symlinks effectively renders the previous security fix useless.

🛡️ Mitigation guidance (until a patch is released)

✔ Disable open registration (default setting)
✔ Restrict access (VPN, IP allow-listing)
✔ Monitor for:

• Repositories with random 8-character names
• Suspicious PutContents API activity
  ✔ Treat exposed instances as potentially compromised

📌 Affected versions: Gogs ≤ 0.13.3
📌 Patch status: ❌ Not available as of now

This incident highlights the real-world impact of incomplete security fixes and the risks of exposed developer infrastructure.