Active Exploitation of Gogs Vulnerability Puts Self-Hosted Git Servers at Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently added a high-severity vulnerability in Gogs to its Known Exploited Vulnerabilities catalog, confirming active attacks against unpatched self-hosted Git servers. Tracked as CVE-2025-8110 with an 8.7 CVSS score, this path traversal flaw enables attackers to execute malicious code on vulnerable systems.

Security researchers at Wiz revealed last month that attackers exploit this vulnerability by creating a Git repository containing a symbolic link pointing to sensitive system files. By manipulating the PutContents API, attackers can overwrite critical files like Git configuration settings. "This bypasses previous protections implemented for CVE-2024-55947," explained Wiz researchers. "Attackers specifically target the sshCommand setting to achieve remote code execution."

Current scans show approximately 1,600 internet-exposed Gogs servers globally, with significant concentrations in China (991 servers), the United States (146), and Germany (98). Wiz confirmed at least 700 compromised instances, highlighting the attack's real-world impact. The maintainers of the Gogs project have implemented code fixes in GitHub pull requests, with a maintainer stating: "Once the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will have this CVE patched."

Until official patches are released, administrators should:

1. Immediately disable open registration in Gogs settings
2. Restrict server access via VPN or IP allow-listing
3. Audit logs for unexpected repository creation or configuration changes
4. Monitor the Gogs GitHub repository for patch availability

Federal agencies must implement these mitigations by February 2, 2026. Organizations running self-hosted Git services should prioritize this mitigation due to the vulnerability's critical nature and active exploitation.