High-severity flaw added to KEV catalog as attacks continue in the wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting Gogs to its Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively exploiting the flaw in real-world attacks.
The issue, tracked as CVE-2025-8110 with a CVSS score of 8.7, enables attackers to achieve remote code execution by abusing path traversal weaknesses in Gogs’ repository file editor functionality.
Technical Details of the Vulnerability
The vulnerability stems from improper symbolic link handling within the PutContents API. By exploiting this flaw, attackers can escape repository boundaries and overwrite files on the underlying system.
Attackers can achieve exploitation by:
- Creating a malicious Git repository
- Committing a symbolic link that points to a sensitive system file
- Using the PutContents API to write data through the symbolic link
As a result, the operating system follows the symlink and overwrites files outside the repository scope.
How Attackers Gain Code Execution
By overwriting Git configuration files, specifically the sshCommand setting, attackers can force the system to execute arbitrary commands. This technique allows full code execution on the affected server without authentication in certain configurations.
Security researchers observed attackers leveraging this method to compromise servers shortly after disclosure, confirming active exploitation in the wild.
Scope and Impact
Researchers identified hundreds of compromised Gogs instances during active scanning. A significant number of Gogs servers remain exposed to the internet, increasing the likelihood of continued exploitation.
Internet-facing development infrastructure is particularly at risk, as attackers can pivot from compromised repositories to broader internal environments.
Patch Status and Mitigation
At present, no official patch has been released for CVE-2025-8110. However, maintainers have confirmed that fixes have already been merged into the project’s main codebase and will be included in upcoming container images.
Until patched versions become available, users are strongly advised to:
- Disable default open-registration settings
- Restrict access using VPNs or IP allow-lists
- Remove unnecessary internet exposure
- Monitor repositories for unauthorized changes
Federal agencies are required to apply mitigations by February 2, 2026.
Why This Matters
Source-code management platforms increasingly sit at the core of modern software supply chains. When attackers compromise these systems, they gain opportunities to manipulate code, steal secrets, and pivot into production environments.
This incident highlights how development infrastructure continues to be a high-value target for attackers seeking long-term access.