The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a high-severity security flaw impacting Gogs by adding it to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability, tracked as CVE-2025-8110 (CVSS score: 8.7), relates to a case of path traversal in the repository file editor that could result in code execution.
“Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution,” CISA said in an advisory.
Details of the shortcoming came to light last month when Wiz said it discovered it being exploited in zero-day attacks. The vulnerability essentially bypasses protections put in place for CVE-2024-55947 to achieve code execution by creating a git repository, committing a symbolic link pointing to a sensitive target, and using the PutContents API to write data to the symlink.
This, in turn, causes the underlying operating system to navigate to the actual file the symlink points to and overwrites the target file outside the repository. An attacker could leverage this behavior to overwrite Git configuration files, specifically the sshCommand setting, giving them code execution privileges.
Wiz said it identified 700 compromised Gogs instances. According to data from the attack surface management platform Censys, there are about 1,600 internet-exposed Gogs servers, out of which the majority of them are located in China (991), the U.S. (146), Germany (98), Hong Kong (56), and Russia (49).
There are currently no patches that address CVE-2025-8110, although pull requests on GitHub show that the necessary code changes have been made. “Once the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will have this CVE patched,” one of the project maintainers said last week.
In the absence of a fix, Gogs users are advised to disable the default open-registration setting and limit server access using a VPN or an allow-list. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by February 2, 2026.
