Full Report
A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the
Analysis Summary
# Vulnerability: Gogs File Overwrite leading to Arbitrary Code Execution via Symlink Abuse
## CVE Details
- CVE ID: CVE-2025-8110
- CVSS Score: 8.7 (High)
- CWE: (Not explicitly listed, implied Improper Link Handling / Improper Input Validation)
## Affected Systems
- Products: Gogs (Go-based self-hosted Git service)
- Versions: All unpatched versions (The flaw is currently unpatched as of the report date).
- Configurations: Instances with open registration or exposed to the internet.
## Vulnerability Description
CVE-2025-8110 is a high-severity file overwrite vulnerability found in the `PutContents` API of Gogs. It arises from improper handling of symbolic links within Git repositories, allowing an attacker to bypass a previous fix (CVE-2024-55947). An attacker can create a repository containing a symlink pointing to an arbitrary target outside the repository boundaries. By using the `PutContents` API to write data to this symlink, the attacker can overwrite the target file. This can be leveraged specifically to overwrite the `.git/config` file, altering the `sshCommand` setting to achieve arbitrary command execution upon subsequent use.
## Exploitation
- Status: Exploited in the wild (Active exploitation reported affecting 700+ instances).
- Complexity: Medium (Requires knowledge of the API endpoint and the file overwrite technique).
- Attack Vector: Network (Exploitation is performed remotely via API calls).
## Impact
- Confidentiality: High (Potential to steal secrets via command execution).
- Integrity: High (Arbitrary file overwrite and arbitrary code execution).
- Availability: High (System compromise leading to system takeover).
## Remediation
### Patches
- A fix for the issue is reported to be currently **in the works** (Not yet released at the time of the report).
### Workarounds
- **Disable open-registration** immediately.
- **Limit exposure to the internet** (Restrict access to Gogs instances via network controls/firewalls).
- Scan instances for suspicious repositories, particularly those with **8-character random owner/repository names** created around July 10, 2025.
## Detection
- Indicators of Compromise: Presence of newly created Git repositories characterized by 8-character random names (e.g., "IV79VAew / Km4zoh4s").
- Detection methods and tools: Actively scan configuration files (`.git/config`) for unauthorized changes to `sshCommand`. Monitor for connections originating from known C2 infrastructure related to the suspected malware (e.g., "119.45.176[.]196").
## References
- Vendor advisories: Patch status forthcoming from Gogs maintainers.
- Relevant links - defanged:
- hxxps://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
- hxxps://www.cve.org/CVERecord?id=CVE-2025-8110
- hxxps://www.cve.org/CVERecord?id=CVE-2024-55947