A vulnerability in self-hosted Git service Gogs is facing widespread exploitation, and no patch is available at this time.
That's according to Wiz, which on Dec. 10 published research disclosing CVE-2025-8110, a bypass for a remote code execution vulnerability disclosed for Gogs last year (CVE-2024-55947). Though that previous bug was patched, this new flaw enables threat actors to execute code in vulnerable environments due to a security gap in the original fix.
Gogs is a popular open source software due to its low minimal requirements and ease of use. It is present in thousands of on-premises and cloud environments, and more concerning for a vulnerability like this, is "often exposed to the internet to enable remote collaboration," according to Wiz researchers Gili Tikochinski and Yaara Shriki.
How CVE-2025-8110 Works
As Tikochinski and Shriki put it, previous bug CVE-2024-55947 "abused a path traversal weakness in the PutContents API."
"It allowed an attacker to write files outside the git repository directory, granting the ability to overwrite sensitive system files or configuration files to achieve code execution," they wrote in the blog post. "The maintainers addressed this by adding input validation on the path parameter."
The issue with the fix was, the researchers explained, that it did not account for symbolic links, and more specifically symbolic link abuse.
Related:ClickFix Style Attack Uses Grok, ChatGPT for Malware Delivery
"The Gogs API allows file modification outside of the regular git protocol, and while it now validates path names, it fails to validate the destination of a symbolic link. Because Gogs respects standard Git behavior, it allows users to commit symbolic links to repositories," Tikochinski and Shriki wrote. "The vulnerability arises because the API writes to the file path without checking if the target file is actually a symlink pointing outside the repo. This effectively renders the previous path validation useless if a symlink is involved."
The ultimate attack chain for this new vulnerability is trivial. The attacker creates a standard git repository and uses a symbolic link to overwrite a sensitive target file, and then they can execute arbitrary commands.
... continue reading