Gogs Zero-Day Exploited; Repos Under Siege

Unpatched Gogs Zero-Day Sees Mass Exploitation

A critical, unpatched vulnerability in the popular self-hosted Git service, Gogs, is under active and widespread exploitation. Flawtrack Threat Labs has identified an ongoing automated campaign leveraging this flaw to achieve remote code execution (RCE) on vulnerable servers. The vulnerability, designated CVE-2025-8110, is a critical bypass of a patch for a previous RCE bug (CVE-2024-55947), rendering many Gogs instances defenseless.

Gogs is a lightweight, open-source Git service known for its low minimal requirements and ease of use; this has led to its adoption in thousands of on-premises and cloud environments. Unfortunately, its primary function often requires it to be exposed to the internet for remote collaboration, making it a prime target for attackers. Our telemetry shows a startlingly high compromise rate; over 50% of the internet-facing Gogs instances we have identified show clear signs of infection.

Technical Analysis: The Symlink Bypass

To understand the current threat, we must first look at its predecessor. The original vulnerability, CVE-2024-55947, was a classic path traversal weakness. It abused the PutContents API, allowing an authenticated attacker to write files outside the intended git repository directory. This could be used to overwrite sensitive system files, such as SSH keys or application configurations, to achieve RCE.

The maintainers addressed this by adding input validation to the path parameter, theoretically preventing writes outside the repository's boundaries.

However, the fix was incomplete. It failed to account for a fundamental and powerful feature of Unix-like systems: symbolic links (symlinks). The new vulnerability, CVE-2025-8110, exploits this oversight.

The Gogs API writes to the file path without first checking if the target file is a symlink pointing outside the repo. This effectively renders the previous path validation useless if a symlink is involved.

The attack chain is trivial for an actor with an account on the Gogs instance, which is easily obtained if open registration is enabled.

1. Create a Repository: The attacker creates a standard git repository on the vulnerable Gogs server.
2. Commit a Symlink: The attacker creates and commits a symbolic link. For example, a symlink named exploit.link that points to a sensitive file like /home/git/.ssh/authorized_keys.
3. Abuse the API: The attacker then uses the PutContents API to write content (e.g., their own public SSH key) to the path exploit.link within the repository.
4. Execute Code: The Gogs application, while validating the path exploit.link is within the repository, follows the symlink and writes the attacker's SSH key directly into the /home/git/.ssh/authorized_keys file. The attacker now has persistent SSH access to the server and can execute arbitrary commands.

Anatomy of an Automated Campaign

Flawtrack first observed exploitation of this zero-day on July 10th. This activity has since escalated into an automated, 'smash-and-grab' style campaign. Our analysis suggests a single threat actor, or a group using the same tooling, is responsible for the widespread compromise.

On infected systems, we have detected traces of Supershell, an open-source command-and-control (C2) framework. While Supershell is a public tool, it has been previously associated with state-sponsored threat actors.

Our internet-wide scans have identified approximately 1,400 exposed Gogs instances. Of those, over 700 show clear indicators of compromise, a breach rate exceeding 50%. All infected instances share the same pattern: the creation of repositories with random 8-character names within a very short time window, confirming the automated nature of the attack.

No Patch Available: Immediate Mitigation Required

As of this publication, no official patch has been released for CVE-2025-8110. Gogs instances at or below version 0.13.3 with open registration enabled (the default setting) are considered vulnerable. Organizations must take immediate action to mitigate this threat.

Priority	Action	Description
Critical	Disable Open Registration	This is the primary entry vector for the attack. If you do not explicitly require public user registration, disable this feature immediately in your Gogs configuration.
High	Limit Internet Exposure	Your Gogs instance should not be open to the entire internet unless absolutely necessary. Place it behind a VPN or use a strict firewall allow-list to limit access to trusted IP addresses.
Medium	Hunt for Indicators of Compromise (IoCs)	Proactively search for signs of a breach. Check your Gogs instance for newly created repositories with random 8-character names. Scrutinize your application logs for any unexpected or suspicious usage of the PutContents API.

Don't Be the Next Victim: Proactive Attack Surface Management

This Gogs zero-day is a stark reminder that your attack surface is larger and more vulnerable than you think. Internet-facing applications, especially those with unpatched, actively exploited flaws, are ticking time bombs.

Waiting for a vulnerability announcement is a reactive posture that guarantees you will always be one step behind the attackers. Flawtrack's Attack Surface Management (ASM) platform provides the proactive visibility you need. We continuously scan the internet to discover your entire external footprint, identifying assets like vulnerable Gogs instances and other potential entry points before they can be exploited.

Secure your perimeter and gain control over your external risks. Request a demo of Flawtrack today at flawtrack.com/request-demo.