Gogs Zero-Day vulnerability actively exploited
Take action: If you're running Gogs (version 0.13.3 or earlier), this is urgent. Disable open registration in your settings and place the service behind a VPN or IP allow-list - there's an actively exploited vulnerability with no available patch. Check your server for suspicious repositories with random 8-character owner and repository names. These indicate your server is probably already compromised.
Learn More
Wiz Threat Research reports active exploitation of a zero-day vulnerability in Gogs, a popular self-hosted Git service, during an investigation that began with a routine malware infection on a customer workload.
The flaw is tracked as CVE-2025-8110 (CVSS score 7.8) a symlink bypass of a previously patched remote code execution vulnerability (CVE-2024-55947), allowing authenticated users to overwrite files outside the repository and achieve remote code execution. The vulnerability has been actively exploited since July 10, 2025, with over 700 instances compromised. As of December 10, 2025, a patch is not available despite responsible disclosure to the maintainers.
The current vulnerability exists because the fix implemented for CVE-2024-55947 added input validation on path parameters but failed to account for symbolic links. Since Gogs respects standard Git behavior and allows symbolic links in repositories that can point to objects outside the repository, attackers can exploit this oversight through a trivial process:
- create a standard git repository
- commit a symbolic link pointing to a sensitive target
- use the PutContents API to write data to the symlink.
The system follows the link and overwrites target files outside the repository. The simplest exploit is modifying the .git/config file's sshCommand to force arbitrary command execution.
Wiz Research identified over 1,400 Gogs servers publicly exposed to the internet, and more than 700 confirmed compromised instances. All affected servers are running Gogs version 0.13.3 or earlier and are vulnerable if they are exposed to the internet and have open-registration enabled, which is the default setting.
The infected instances share distinctive indicators: repositories with random 8-character owner and repository names created within the same short time window on July 10, 2025, suggesting a single actor or group using identical tooling is responsible for all infections. These artifacts are necessary for the attack, but their visibility suggests an automated, large-scale campaign instead of targeted operations that would have marked repositories as private or deleted them immediately after exploitation.
Analysis of the malware payload revealed multiple layers of obfuscation designed to evade detection, including UPX packing and compilation with the garble tool that randomizes class names and encrypts string literals.
The flaw was reported to Gogs maintainers on July 17, 2025, and acknowledged on October 30, 2025, but as of December 10, 2025, the vulnerability has not yet been fixed. A second wave of attacks was observed on November 1, 2025.
Immediate mitigation is disabling open-registration if not required, and limiting internet exposure by placing self-hosted Git services behind a VPN or using IP allow-lists. A revie and monitoring for the creation of repositories with random 8-character names or unexpected usage of the PutContents API is recommended for all administrators to check for possible compromise.
Update - As of 12th of January 2025, CISA reports active exploitation of the flaw.
