Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the Gogs self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior.
Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Timeline
Dec 11, 2025
Forgejo and Gitea are reported likely unaffected
In an oss-security follow-up on December 11, 2025, a Forgejo developer said the relevant code in Gitea, and therefore Forgejo, had previously been rewritten and attack attempts had not succeeded. This indicated the notable Gogs forks were most likely not affected by CVE-2025-8110.
Dec 10, 2025
Reports detail Supershell malware use and scale of compromise
Public reporting on December 10-11, 2025 tied the exploitation to Supershell C2 malware and estimated that over 700 of roughly 1,400-1,500 internet-facing Gogs instances showed signs of compromise. Researchers said the attacks appeared opportunistic, widespread, and likely run by a single actor or group.
Dec 10, 2025
CVE-2025-8110 is published in vulnerability databases
On December 10, 2025, CVE-2025-8110 was formally published with high-severity scoring and descriptions of the PutContents API symlink handling flaw in Gogs. Public proof-of-concept and technical details were also referenced by vulnerability feeds.
Dec 10, 2025
Wiz publicly discloses active exploitation of CVE-2025-8110
Wiz published research on December 10, 2025 describing CVE-2025-8110 as an actively exploited Gogs zero-day affecting version 0.13.3 and earlier. The disclosure said more than 700 public-facing instances had been compromised, no patch was yet available, and published indicators of compromise and mitigations were provided.
Nov 1, 2025
Second wave of Gogs zero-day attacks begins
Researchers observed a renewed wave of exploitation starting on November 1, 2025, showing the campaign was ongoing months after initial abuse began. Reports describe the activity as automated and likely conducted by a single actor or group.
Oct 1, 2025
Gogs maintainers acknowledge the reported vulnerability
According to later reporting, Gogs maintainers acknowledged Wiz's report in October 2025, but no patch had been released at that time. The issue remained unresolved despite prior responsible disclosure.
Jul 10, 2025
Attackers begin exploiting CVE-2025-8110 against exposed Gogs servers
Evidence cited by multiple reports indicates exploitation began around July 2025, including suspicious repositories with random eight-character names created around July 10. The campaign targeted internet-exposed Gogs instances with open registration enabled.
Jul 1, 2025
Wiz discovers Gogs symlink bypass zero-day and reports it to maintainers
Wiz Research discovered CVE-2025-8110 in Gogs during a malware investigation and responsibly disclosed the issue to Gogs maintainers in July 2025. The flaw is a symlink-based bypass of the earlier CVE-2024-55947 protections and can lead to remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
5 more from sources like the hacker news, bleeping computer, govinfosecurity, bank info security and dark reading
Related Stories
CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added **CVE-2025-8110** affecting the *Gogs* self-hosted Git service to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under **BOD 22-01**. The issue is described as a **path traversal** weakness that can be leveraged for **remote code execution (RCE)** in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances. Technical reporting indicates the flaw resides in the `PutContents` API and can be abused by authenticated attackers using **symbolic links** to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., `sshCommand`) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
1 months ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago
Path Traversal Flaws in goshs Upload Handlers Allow Remote File Write
Two high-severity vulnerabilities, **CVE-2026-35392** and **CVE-2026-35393**, were disclosed in **goshs**, a Go-based SimpleHTTPServer, affecting versions prior to **`2.0.0-beta.3`**. Both issues are classified as **CWE-22 path traversal** flaws that arise from missing pathname sanitization in file upload functionality: **PUT** upload handling in `httpserver/updown.go` and **POST multipart** upload directory processing. The weaknesses could allow remote, unauthenticated attackers to write files outside intended directories. Both CVEs carry the same **CVSS v3** vector, **`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`**, indicating high impact to confidentiality, integrity, and availability. The vulnerabilities were addressed in **`2.0.0-beta.3`**, and related GitHub security advisories were published alongside the fixes. Organizations using goshs for file upload workflows should prioritize upgrading and review exposed instances for unauthorized file placement or tampering.
3 weeks ago