3 Min Read


Source: JUN LI via Alamy Stock Photo

A vulnerability in self-hosted Git service Gogs is facing widespread exploitation, and no patch is available at this time.

That’s according to Wiz, which on Dec. 10 published research disclosing CVE-2025-8110, a bypass for a remote code execution vulnerability disclosed for Gogs last year (CVE-2024-55947). Though that previous bug was patched, this new flaw enables threat actors to execute code in vulnerable environments due to a security gap in the original fix.

Gogs is a popular open source software due to its low minimal requirements and ease of use. It is present in thousands of on-premises and cloud environments, and more concerning for a vulnerability like this, is "often exposed to the internet to enable remote collaboration," according to Wiz researchers Gili Tikochinski and Yaara Shriki.

How CVE-2025-8110 Works

As Tikochinski and Shriki put it, previous bug CVE-2024-55947 "abused a path traversal weakness in the PutContents API."

"It allowed an attacker to write files outside the git repository directory, granting the ability to overwrite sensitive system files or configuration files to achieve code execution," they wrote in the blog post. "The maintainers addressed this by adding input validation on the path parameter."

The issue with the fix was, the researchers explained, that it did not account for symbolic links, and more specifically symbolic link abuse.

Related:ClickFix Style Attack Uses Grok, ChatGPT for Malware Delivery

"The Gogs API allows file modification outside of the regular git protocol, and while it now validates path names, it fails to validate the destination of a symbolic link. Because Gogs respects standard Git behavior, it allows users to commit symbolic links to repositories," Tikochinski and Shriki wrote. "The vulnerability arises because the API writes to the file path without checking if the target file is actually a symlink pointing outside the repo. This effectively renders the previous path validation useless if a symlink is involved."

The ultimate attack chain for this new vulnerability is trivial. The attacker creates a standard git repository and uses a symbolic link to overwrite a sensitive target file, and then they can execute arbitrary commands.

Wiz saw its first indication of exploitation on July 10, and this has since exploded into what researchers described as "an automated, ‘smash-and-grab’ style" malware campaign driven by what is likely a lone threat actor. While it’s unclear who is behind these attacks, Wiz researchers detected Supershell on an infected system, which is an open source command-and-control framework that has been used by China-linked threat actors.

Related:Exploitation Activity Ramps Up Against React2Shell

Searching through Shodan, Wiz was able to detect 1,400 total exposed instances and more than 700 compromised ones, an over-one-in-two breach rate. "All infected instances shared the same pattern: 8-character random owner/repo names created within the same short time window (July 10th). This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections," Wiz said.

CVE-2025-8110 Timeline and Mitigation

On July 17, Wiz reported the vulnerability to Gogs maintainers, who acknowledged receipt more than three months later, on Oct. 30.

In an email, a spokesperson for Wiz Research tells Dark Reading that the company reported the vulnerability to Gogs within two days of confirming active exploitation while following responsible disclosure practices.

"We did consider disclosing earlier, but ultimately waited in hopes of coordinated remediation," Wiz Research says. "When the vulnerability remained unpatched and we saw renewed exploitation in the wild, we chose to publish our findings to help others protect their environments."

A second wave of attacks was detected on Nov. 1, and as of the blog’s posting, CVE-2025-8110 has not been patched.

Related:React2Shell Vulnerability Under Attack From China-Nexus Groups

Wiz says that Gogs instances that are at or under version 0.13.3 and have open registration enabled (the default setting) are vulnerable to CVE-2025-8110. Vulnerable organizations are advised to disable open registration immediately if it is not needed, limit internet exposure (such as placing instances behind a VPN or using an allow-list), and look for the creation of repositories with random 8-character names or unexpected PutContents API usage (telltale signs of possible infection).

About the Author

Senior News Writer, Dark Reading

Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.