A path traversal flaw in self-hosted Git service Gogs has been actively exploited for months, prompting CISA to mandate federal agencies to patch or discontinue use immediately.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive ordering all federal agencies to either patch or completely discontinue use of Gogs, an open-source Git hosting service, after adding a critical vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-8110, this high-severity path traversal flaw enables attackers to execute malicious code on affected systems and has been actively weaponized since at least December 2025.
Gogs provides self-hosted Git repository management similar to GitHub, allowing organizations to maintain code repositories on private infrastructure. The vulnerability stems from improper handling of symbolic links (pointers to files or directories), allowing authenticated users to bypass security controls and overwrite arbitrary system files. This grants attackers full remote code execution capabilities on unpatched servers.
Security researchers from Wiz discovered the flaw during a malware investigation in July 2025, finding that over 700 internet-exposed Gogs instances had already been compromised by attackers using the vulnerability. Their analysis revealed approximately 1,400 publicly accessible Gogs servers worldwide, all vulnerable to exploitation due to the unpatched flaw. According to Wiz researcher Yaara Shriki, evidence suggests threat actors operating from Asia are leveraging the Supershell command-and-control framework in these attacks.
CISA's KEV catalog inclusion triggers binding remediation requirements under Binding Operational Directive 22-01 for all federal civilian executive branch agencies. The agency emphasized that such vulnerabilities represent "a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise." Federal agencies must implement mitigations by January 27, 2026, or cease using Gogs entirely.
For non-federal organizations, the risks are equally severe. Gogs maintainers haven't released a patch despite months of active exploitation, forcing administrators to implement stopgap measures:
- Disabling open registration to limit potential attackers
- Placing instances behind VPNs or firewalls
- Strictly limiting repository permissions
The vulnerability represents a failure to properly address a previous security fix (CVE-2024-XXXX), highlighting ongoing challenges in securing developer toolchains. As code repositories often contain sensitive credentials and proprietary intellectual property, this vulnerability creates substantial data breach risks beyond immediate system compromise.
Organizations using Gogs should immediately audit exposure status and implement network-level protections. Those handling sensitive data should consider migrating to alternative solutions until Gogs provides a comprehensive security update. CISA maintains the Known Exploited Vulnerabilities Catalog for tracking active threats requiring prioritized remediation.
Comments
Please log in or register to join the discussion