CISA Warns of Active Exploitation of Critical Gogs Vulnerability

A high-severity security flaw in the Gogs code hosting platform is under active exploitation, prompting an urgent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The agency has added the vulnerability, tracked as CVE-2025-8110 (CVSS score: 8.7), to its Known Exploited Vulnerabilities (KEV) catalog, signaling a significant and immediate threat.

The vulnerability stems from a path traversal issue within the repository file editor, potentially allowing attackers to achieve code execution on affected systems. “Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution,” CISA stated in a recent advisory.

Zero-Day Exploitation Confirmed

Details of the vulnerability surfaced last month when security firm Wiz reported observing it being exploited in zero-day attacks. The flaw effectively circumvents existing protections implemented for CVE-2024-55947. Attackers are exploiting the vulnerability by creating a Git repository, embedding a symbolic link pointing to a sensitive target, and then utilizing the PutContents API to write data to that link.

This process allows the underlying operating system to navigate to the actual file referenced by the symbolic link, overwriting the target file located outside the repository. A successful exploit could enable attackers to overwrite critical Git configuration files, specifically the sshCommand setting, granting them unauthorized code execution privileges.

Widespread Exposure and Compromises

Wiz researchers have identified approximately 700 compromised Gogs instances to date. Data from the attack surface management platform Censys indicates that roughly 1,600 Gogs servers are currently exposed to the internet. The majority of these vulnerable servers are located in China (991), followed by the United States (146), Germany (98), Hong Kong (56), and Russia (49).

Patch Availability and Mitigation Strategies

Currently, no official patches directly address CVE-2025-8110. However, developers have submitted code changes to GitHub, and one project maintainer indicated last week that “Once the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will have this CVE patched.”

In the interim, Gogs users are strongly advised to implement immediate mitigation measures. These include disabling the default open-registration setting and restricting server access through the use of a VPN or an allow-list. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply these mitigations by February 2, 2026.

This vulnerability underscores the ongoing risks associated with open-source software and the critical need for proactive security measures, even in the absence of readily available patches.