Full Report
Wiz Threat Research has observed exploitation in-the-wild of CVE-2025-8110
Analysis Summary
# Vulnerability: Gogs Zero-Day Remote Code Execution via Symlink Bypass
## CVE Details
- CVE ID: CVE-2025-8110
- CVSS Score: Not explicitly provided, but implies **Critical** severity due to RCE and active exploitation.
- CWE: CWE-59 (Improper Link Resolution to a File or Directory) or related path traversal/symlink abuse.
## Affected Systems
- Products: Gogs (self-hosted Git service)
- Versions: The article implies all versions are affected until a patch is released, specifically noting this as a bypass of a previously patched RCE (CVE-2024-55947).
- Configurations: Any instance where users have repository creation permissions (enabled by default) and the service is exposed to the internet. Servers configured with "Open Registration" are at higher risk.
## Vulnerability Description
CVE-2025-8110 is a critical zero-day vulnerability that bypasses the input validation fix implemented for CVE-2024-55947. The flaw stems from a failure to properly validate the **destination** of symbolic links (symlinks) committed to a Git repository.
An authenticated user can:
1. Commit a repository containing a symlink that points outside the repository directory structure.
2. Use the `PutContents` API to write data to this symlink.
3. Due to Gogs following the symlink, the data overwrites the target file, even if path validation on the committed filename is performed.
4. By overwriting sensitive internal files like `.git/config` (specifically the `sshCommand` directive), the attacker achieves arbitrary Remote Code Execution (RCE).
## Exploitation
- Status: **Exploited in the wild** (Active exploitation ongoing since prior to December 10, 2025).
- Complexity: **Low** (Trivial for any user with default repository creation permissions).
- Attack Vector: **Network** (Requires authenticated access to the Gogs instance).
## Impact
- Confidentiality: **High** (Arbitrary code execution allows access to system files and environment).
- Integrity: **High** (Ability to overwrite critical system or configuration files).
- Availability: **High** (Can lead to system compromise and potential Denial of Service).
## Remediation
### Patches
- **Status as of Dec 10, 2025:** A patch is **not yet available**. Maintainers are currently working on a fix.
### Workarounds
- Restrict or disable repository creation permissions for untrusted users.
- Review and disable "Open Registration" if enabled.
- Deploy network segmentation or firewall rules to limit internet exposure to necessary administrative IPs, if possible, until a patch is released.
## Detection
- **Indicators of Compromise (IOCs):**
- Observed use of the **Supershell** C2 framework payloads on compromised Gogs instances.
- Network traffic originating from the identified C2 server: `119.45.176[.]196`.
- **Detection Methods and Tools:**
- Monitor for file writes targeting sensitive configuration files (`.git/config`) originating from the Gogs application context.
- Look for suspicious modifications to the `sshCommand` entry in configuration files, indicating RCE attempt precursor.
- Tools capable of analyzing binaries for unique strings referencing the Supershell framework may aid in retrospective analysis.
## References
- Wiz Blog Post: hxxps://www.wiz.io/blog (Search for CVE-2025-8110)
- Previous RCE (Bypassed): hxxps://www.wiz.io/vulnerability-database/cve/cve-2024-55947