Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a high-severity security flaw impacting Gogs by adding it to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2025-8110 (CVSS score: 8.7), relates to a case of path traversal in the repository file editor that could result in code execution. "Gogs Path
Analysis Summary
# Vulnerability: Gogs Path Traversal Leading to Code Execution
## CVE Details
- CVE ID: CVE-2025-8110
- CVSS Score: 8.7 (High)
- CWE: Path Traversal (Implied, related to improper Symbolic link handling)
## Affected Systems
- Products: Gogs
- Versions: Not explicitly specified, but impacts versions vulnerable to improper Symbolic link handling in the `PutContents` API.
- Configurations: Instances where the repository file editor is accessible.
## Vulnerability Description
This is a path traversal vulnerability residing in the Gogs repository file editor, specifically related to improper Symbolic link handling within the `PutContents` API. An attacker can exploit this by creating a Git repository, committing a symbolic link that points to a sensitive external file (e.g., `/etc/ssh/sshd_config`), and then using the `PutContents` API (`PutContents API`) to write data to this symlink. This action causes the underlying operating system to follow the link and overwrite the target file outside the repository's scope. This specific mechanism was used to overwrite the `sshCommand` setting in Git configuration files, leading to remote Code Execution (RCE). This flaw bypasses protections related to a previous vulnerability, CVE-2024-55947.
## Exploitation
- Status: Exploited in the wild (CISA added to KEV catalog; 700 compromised instances identified by Wiz).
- Complexity: Implied to be achievable by a remote, potentially unauthenticated, attacker.
- Attack Vector: Network (via API/Web Interface).
## Impact
- Confidentiality: High (Ability to overwrite configuration files can lead to unauthorized access/information disclosure).
- Integrity: High (Direct file overwrite of sensitive system or application configuration files).
- Availability: High (RCE can result in system compromise or denial of service).
## Remediation
### Patches
- **No official patch version released at the time of summary.** Pull requests addressing the issue exist in the Gogs GitHub repository.
- Maintainers indicated that patches will be included in `gogs/gogs:latest` and `gogs/gogs:next-latest` after the next image build.
### Workarounds
- Disable the default open-registration setting.
- Limit server access using a VPN or an IP allow-list.
- (FCEB agencies must apply mitigations by February 2, 2026.)
## Detection
- **Indicators of Compromise (IOCs):** Attempted exploitation involving symbolic link creation followed by file writes via the `PutContents` API targeting configuration files (especially those related to SSH/Git configurations).
- **Detection Methods and Tools:** Monitor file system activity for unauthorized writes to configuration directories outside of expected repository paths, particularly triggered by API calls related to file content updates.
## References
- Vendor Advisories: CISA KEV inclusion announcement.
- Relevant Links:
- cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
- github.com/gogs/gogs/pull/8078
- github.com/gogs/gogs/pull/8082