Gogs Zero-Day (CVE-2025-8110) Risks RCE for 700+ Servers via Symlink Path Traversal Bypass

A routine malware investigation has spiraled into the discovery of a widespread “smash-and-grab” campaign targeting the developer community. The Wiz Threat Research team has uncovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service, which creates a massive security hole for thousands of organizations.

The flaw, tracked as CVE-2025-8110, allows attackers to bypass previous security patches and execute arbitrary code on the server. As of December 1, 2025, active exploitation is ongoing, and no official patch has been released.

The discovery began not with a code audit, but with a forensic hunt. “What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero-day vulnerability,” the report states.

While analyzing a compromised workload, researchers found a Gogs instance running a version that should have been secure. Yet, the evidence was undeniable: a threat actor was exploiting a previously unknown method to bypass existing defenses.

The vulnerability is a classic case of a patch that didn’t quite cover all the angles. It serves as a bypass for CVE-2024-55947, a path traversal flaw patched earlier this year. While the original fix validated file paths, it failed to account for symbolic links (symlinks)—shortcuts that point to other files.

“The vulnerability arises because the API writes to the file path without checking if the target file is actually a symlink pointing outside the repo,” the researchers explain.

This oversight makes exploitation simple. “The exploitation process is trivial for any user with repository creation permissions”. An attacker merely needs to commit a symlink pointing to a sensitive system file (like a configuration file) and then write data to it via the API. By overwriting files like .git/config, they can force the server to execute malicious commands.

Out of approximately 1,400 exposed Gogs instances scanned by Wiz, over 700 showed signs of compromise. “In other words, over 50% of the exposed instances we observed showed signs of compromise”.

The attacks follow a distinct, automated pattern. Infected servers feature repositories with “random 8-character names created within the same short time window,” specifically around July 10th. The brazen visibility of these artifacts suggests an unsophisticated but effective “smash-and-grab” style campaign, rather than a stealthy espionage operation.

Once inside, the attackers deploy a sophisticated payload constructed using the Supershell framework. This open-source Command and Control (C2) platform establishes a reverse SSH shell, granting the attacker full remote control over the compromised system.

To hide their tracks, the malware authors heavily obfuscated the binary using garble and UPX packing. “That means that all class names are randomized and most string literals are encrypted on disk… heavily limiting static analysis of the file”.

With no patch currently available, administrators running Gogs must act fast. The report identifies the default “Open Registration” setting as a critical weakness.

Immediate Actions Required:

• Disable Open Registration: If your instance allows public sign-ups, turn this off immediately.
• Isolate the Service: Place your self-hosted Git service behind a VPN or restrict access to an IP allow-list.
• Hunt for Indicators: Check your Gogs instance for repositories with random 8-character names created around July 10th.

Related Posts:

• IIS & Linux Servers Hit by WogRAT, MeshAgent, & SuperShell Malware
• Unpatched Gogs Vulnerabilities: A Ticking Time Bomb for Source Code
• Behind the Commit: CVSS 10.0 Bug Lets Attackers Hijack Gogs Servers
• Critical Vulnerabilities Found in Gogs Self-Hosted Git Service: Urgent Update Required
• DoS Flaws in Argo CD: Unauthenticated Attackers Can Crash Kubernetes Server with Single Request