The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stern warning regarding active exploitation of a critical security flaw within the Gogs Go Git Service. This high-severity vulnerability, now listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, poses a significant risk to organizations utilizing the popular self-hosted Git service.
The flaw, identified as CVE-2025-8110 and assigned a CVSS score of 8.7, allows for code execution through a path traversal vulnerability in the repository file editor. This discovery highlights an ongoing concern for network security and the protection of sensitive code repositories.
Gogs Path Traversal Vulnerability Under Active Exploitation
CISA’s advisory details that the Gogs path traversal vulnerability stems from improper handling of symbolic links within the PutContents API. This specific weakness can be exploited to achieve remote code execution on vulnerable systems. Attackers can leverage this by creating a git repository, committing a symbolic link that points to a sensitive target file, and then utilizing the PutContents API to write data to this symbolic link.
This sophisticated attack chain effectively bypasses security measures that were previously implemented to address vulnerabilities like CVE-2024-55947. By manipulating symbolic links, attackers can trick the underlying operating system into following the link to the actual target file, which lies outside the intended repository boundaries.
Route to Code Execution
The outcome of this manipulation is the overwriting of critical system files. Exploiting CVE-2025-8110 allows attackers to target and modify Git configuration files, specifically the `sshCommand` setting. Compromising this setting grants the attacker the ability to execute arbitrary code with elevated privileges on the affected server, leading to a complete system compromise.
Security researchers at Wiz initially brought this vulnerability to light last month, reporting that it was already being exploited in zero-day attacks. Their findings indicated a widespread impact, with approximately 700 Gogs instances identified as compromised.
Scope of Impact and Mitigation Efforts
Data from the attack surface management platform Censys reveals a significant number of internet-exposed Gogs servers globally, estimated at around 1,600. The geographical distribution shows a concentration in China, with 991 instances, followed by the United States (146), Germany (98), Hong Kong (56), and Russia (49). This widespread presence increases the potential attack surface for this vulnerability.
As of the reporting date, official patches for CVE-2025-8110 have not yet been released. However, pull requests on GitHub indicate that the necessary code changes are in development and have been made. Project maintainers have stated that once a new build is compiled and deployed to the main branch, both `gogs/gogs:latest` and `gogs/gogs:next-latest` image tags will include the fix for this CVE.
In the interim, Gogs users are strongly advised to implement immediate mitigation strategies. These include disabling the default open-registration setting to prevent unauthorized account creation and restricting server access through methods such as VPNs or IP address allow-listing. For federal Civilian Executive Branch (FCEB) agencies in the U.S., CISA has mandated the application of these necessary mitigations by February 2, 2026.
The coming weeks will be critical for organizations running Gogs instances as they await the official patch and implement the recommended workarounds. Continued monitoring of network security advisories and prompt application of updates will be essential to protect against active exploitation of this vulnerability.