← Back to articles
Security· 2 min read

CVE-2025-8110: the Gogs vulnerability CISA confirms is being exploited for code execution

What the vulnerability is

CVE-2025-8110 is a path traversal flaw (CWE-22, “Improper Limitation of a Pathname to a Restricted Directory”) in Gogs, the self-hosted Git repository server written in Go that plenty of administrators run on Linux because it stays light. The problem sits in the repository file editor, specifically the PutContents API, which mishandles symbolic links (symlinks).

The exploitation technique is clever, and that is exactly what makes it dangerous. An attacker creates a Git repository, commits a symbolic link pointing to a sensitive system file, then uses the PutContents API to write data through that symlink. That lets them write to paths outside the repository directory and, eventually, execute code on the server. What stands out is that this flaw bypasses the protections added earlier to fix a previous vulnerability, CVE-2024-55947.

Who is affected

The issue affects Gogs 0.13.3 and earlier, on both Linux and Windows. Any organization or individual running a self-hosted Gogs instance (a common choice for teams that want a lightweight GitLab alternative) is potentially exposed.

Exploitation needs authentication with low privileges (CVSS vector AV:N/AC:L/PR:L/UI:N): the attacker only needs a user account that can create repositories and edit files. On instances with open registration or many internal users, that barrier is next to nothing.

Severity

The vulnerability is rated high severity:

  • CVSS 3.1: 8.8 (NIST/NVD).
  • CVSS 4.0: 8.7 (assigned by Wiz, the firm that discovered it).
  • High impact on confidentiality, integrity, and availability.

The finding mattered because security firm Wiz caught it being exploited in zero-day attacks. So CISA (the U.S. cybersecurity agency) put it in its Known Exploited Vulnerabilities (KEV) catalog on January 12, 2026, with a remediation deadline for federal agencies of February 2, 2026.

Mitigation and patch

When CISA’s advisory came out, no stable patched release had shipped yet, though the project maintainers already had the necessary code changes ready on GitHub. The fix landed in commit 553707f, which adds validation to reject any file update whose path hierarchy contains symbolic links.

Recommendations for administrators:

  1. Update to the fixed image as soon as it is available: according to the maintainers, once the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will include the patch.
  2. Restrict user registration and review who can create repositories until you apply the patch.
  3. Isolate the service behind a VPN or internal network, and don’t expose Gogs directly to the Internet.
  4. Review logs for suspicious symlink creation or odd writes via the API.

With a public proof of concept and confirmed exploitation, treat the update as a priority.

Source