A critical zero-day vulnerability in Gogs, a widely used self-hosted Git service, is currently being exploited in the wild. Designated as CVE-2025-8110, this flaw allows authenticated users to execute a symlink bypass, leading to Remote Code Execution (RCE).
As of this writing, no patch is available, and researchers estimate that over 50% of public-facing Gogs instances have already been compromised.
The discovery began on July 10, 2025, during a routine investigation of a malware infection on a customer workload. Wiz analysts traced the entry point to a Gogs instance running a secure version (0.13.2).
Further analysis revealed that threat actors were exploiting a regression in the Gogs API to bypass protections implemented for CVE-2024-55947.
The core issue lies in how Gogs handles file modifications via its API. While the maintainers had previously patched a path traversal flaw by validating input paths, they failed to account for symbolic links (symlinks). Gogs, adhering to standard Git protocols, allows users to commit symlinks.
Attackers exploit this by creating a repository, committing a symlink that points to a sensitive file outside the repository (such as system configuration files), and then using the PutContents API to write data to that link.
The API validates the file path name but does not validate the destination of the symlink. This allows the attacker to overwrite files on the host system, such as .git/config, injecting malicious commands into the sshCommand parameter to achieve RCE.
The exploitation requires an account with repository creation privileges. Since many Gogs instances default to “Open Registration,” the attack surface is massive. Wiz identified approximately 1,400 public-facing Gogs instances, with over 700 confirming signs of compromise.
The attacks appear to be the work of a single actor or group utilizing an automated “smash-and-grab” approach. All infected instances featured repositories with random 8-character names created within a tight timeframe around July 10.
The payload delivered is Supershell, an open-source Command and Control (C2) framework written in Go.
The malware was heavily obfuscated with UPX packing and the garble tool, which encrypts string literals and randomizes class names, complicating reverse engineering. Supershell establishes a reverse SSH shell via web services, granting the attacker persistent remote access.
Vulnerability Summary and IoCs
| Feature | Details |
|---|---|
| Zero-Day CVE | CVE-2025-8110 (Symlink Bypass) |
| Related CVE | CVE-2024-55947 (Original RCE) |
| Affected Software | Gogs (Self-Hosted Git Service) |
| Affected Versions | v0.13.3 and prior |
| Status | Unpatched (Active Exploitation) |
| C2 IP Address | 119.45.176[.]196, 106.53.108[.]81, 119.91.42[.]53 |
Despite Wiz’s responsible disclosure on July 17, 2025, and the maintainers’ acknowledgment in October, the vulnerability remains unfixed in the main branch.
Administrators running Gogs are urged to assume compromise if their instance is internet-exposed with open registration.
Immediate mitigation steps include disabling “Open Registration” to prevent unauthorized account creation and restricting access to the service via VPN or IP allow-lists. Security teams should scan for unexpected repositories or anomalous usage of the PutContents API.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
