Full Report
More than half of internet-exposed instances already compromised Attackers are actively exploiting a zero-day bug in Gogs, a popular self-hosted Git service, and the open source project doesn't yet have a fix.…
Analysis Summary
# Vulnerability: Gogs Zero-Day RCE via Untrustworthy Symbolic Link Handling
## CVE Details
- CVE ID: CVE-2025-8110
- CVSS Score: *Score not explicitly provided, but implied Critical due to RCE and active exploitation.* (Severity: High/Critical)
- CWE: CWE-59 (Improper Link Resolution When Accessing a File System Object) [Inferred based on symlink abuse]
## Affected Systems
- Products: Gogs (Self-hosted Git service)
- Versions: 0.13.3 or earlier
- Configurations: Instances that are internet-exposed and have **open-registration enabled** (default setting).
## Vulnerability Description
CVE-2025-8110 is a zero-day vulnerability that allows authenticated users to achieve Remote Code Execution (RCE) by exploiting a flaw in how the system handles symbolic links (symlinks) following a bypass of a previous patch (CVE-2024-55947).
The vulnerability stems from the system failing to account for symlinks when applying fixes related to file overwrites. An attacker with repository creation permissions can:
1. Create a standard Git repository.
2. Commit a symbolic link pointing to a sensitive external target file (e.g., `.git/config`).
3. Use the `PutContents` API to write data to this symlink, overwriting the external target file.
4. By overwriting the `sshCommand` parameter within `.git/config`, the attacker forces the system to execute arbitrary commands upon subsequent operations.
## Exploitation
- Status: **Exploited in the wild** (More than 700 instances confirmed compromised).
- Complexity: **Low** ("trivial for any user with repository creation permissions," which is default).
- Attack Vector: Network (Requires authentication/repository creation permissions).
## Impact
- Confidentiality: High (Arbitrary command execution can lead to full system compromise)
- Integrity: High (Arbitrary file overwrite and code execution)
- Availability: High (System takeover possible)
## Remediation
### Patches
- **None immediately available.** The maintainers are "currently working on a fix."
### Workarounds
1. **Disable open-registration immediately** if it is not required.
2. **Limit internet exposure** by placing self-hosted Gogs services behind a VPN or restricting external access where possible.
## Detection
- **Indicators of Compromise (IoCs):**
- Newly created repositories with **random 8-character names**.
- Anomalous usage of the **`PutContents` API**.
- Presence of payloads utilizing the **Supershell remote command-and-control framework**.
- Artifacts indicating the modification of `.git/config` file entries like `sshCommand`.
- **Detection Methods and Tools:**
- Monitor API calls for suspicious `PutContents` usage directed towards system configuration files.
- Scan for the file creation/owner patterns reported by Wiz researchers (e.g., owner/repo names created around July 10).
## References
- Wiz Research Advisory: hxxps://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
- Previous Vulnerability Reference: hxxps://github.com/advisories/GHSA-qf5v-rp47-55gg