CVE-2024-55947
published 2024-12-23CVE-2024-55947: Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server…
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.20%
99.4th percentile
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.13.1 | 0.13.1 |
| gogs.io | gogs | 0 – 0.13.3 | — |
| gogs | gogs | < 0.13.1 | 0.13.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for repositories with random 8-character names created during the attack windows (July 10, 2025 and November 1, 2025) as a sign of compromise. ↗
- →Monitor for suspicious or unexpected use of the PutContents API, especially writes that resolve through symbolic links to paths outside the repository. ↗
- →Detect Gogs version fingerprinting via the login page body string 'Sign In - Gogs: Go Git Service' combined with version extraction from 'Gogs Version:' to identify vulnerable instances (<= 0.13.3). ↗
- →The deployed malware is UPX-packed, written in Go, and compiled with the garble tool (randomized class names, encrypted string literals). Use the Supershell C2 framework's reverse SSH-over-web-services behavior as a behavioral detection signal. ↗
- →Detect overwrite of .git/config sshCommand field as an indicator of post-exploitation persistence/RCE setup. ↗
- →Use Shodan query 'http.title:"Sign In - Gogs"' to identify exposed Gogs instances for proactive assessment. ↗
- ·CVE-2024-55947 is the original path traversal RCE in the PutContents API; the fix added path validation but did not account for symbolic links, which is the root cause of the bypass (CVE-2025-8110). Detection and patching must address both. ↗
- ·Open Registration is enabled by default in Gogs, meaning any unauthenticated internet user can register and then exploit this vulnerability without any prior account. ↗
- ·A sophisticated attacker could mark exploit repositories as private or delete them immediately after exploitation, making the 8-character repo name artifact unreliable as a sole indicator. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
osv·2025-12-15·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
GHSA
Gogs vulnerable to a bypass of CVE-2024-55947
ghsa·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] CWE-22 Gogs vulnerable to a bypass of CVE-2024-55947
Gogs vulnerable to a bypass of CVE-2024-55947
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
OSV
Gogs vulnerable to a bypass of CVE-2024-55947
osv·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs vulnerable to a bypass of CVE-2024-55947
Gogs vulnerable to a bypass of CVE-2024-55947
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
OSV
Path Traversal in file update API in gogs in gogs.io/gogs
osv·2025-01-07
CVE-2024-55947 Path Traversal in file update API in gogs in gogs.io/gogs
Path Traversal in file update API in gogs in gogs.io/gogs
Path Traversal in file update API in gogs in gogs.io/gogs
GHSA
Path Traversal in file update API in gogs
ghsa·2024-12-23
CVE-2024-55947 [HIGH] CWE-22 Path Traversal in file update API in gogs
Path Traversal in file update API in gogs
### Impact
The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.
### Patches
Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
n/a
### Proof of Concept
1. Generate a Personal Access Tokens
2. Edit any file on the server with this
```bash
curl -v --path-as-is -X PUT --url "http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys" \
-H "
OSV
Path Traversal in file update API in gogs
osv·2024-12-23
CVE-2024-55947 [HIGH] Path Traversal in file update API in gogs
Path Traversal in file update API in gogs
### Impact
The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.
### Patches
Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
n/a
### Proof of Concept
1. Generate a Personal Access Tokens
2. Edit any file on the server with this
```bash
curl -v --path-as-is -X PUT --url "http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys" \
-H "
No detection rules found.
Nuclei
Gogs <= 0.13.3 - Remote Code Execution
nuclei·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs <= 0.13.3 - Remote Code Execution
Gogs <= 0.13.3 - Remote Code Execution
Gogs self-hosted Git service versions 0.13.3 and earlier contain a critical symlink bypass vulnerability that circumvents the fix for CVE-2024-55947. Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution. As of December 2025, this remains an unpatched zero-day with active exploitation ongoing. Approximately 1,400 exposed Gogs instances exist, with over 700 showing signs of compromise. The vulnerability stems from the API writing to file paths without checking if targets are symlinks pointing outside the repository. Gogs maintainers are working on a fix.
Template:
id: CVE-2025-8110
info:
Bleepingcomputer
CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-01-12·CVSS 8.7
CVE-2025-8110 [HIGH] CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
## CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.
Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration.
Tracked as CVE-2025-8110 , this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Attackers can abuse this flaw by creating repos con
Bleepingcomputer
Hackers exploit unpatched Gogs zero-day to breach 700 servers
blogs_bleepingcomputer·2025-12-11·CVSS 8.7
CVE-2025-8110 [HIGH] Hackers exploit unpatched Gogs zero-day to breach 700 servers
## Hackers exploit unpatched Gogs zero-day to breach 700 servers
## Sergiu Gatlan
An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers.
Written in Go and designed as an alternative to GitLab or GitHub Enterprise, Gogs is also often exposed online for remote collaboration.
CVE-2025-8110 , the Gogs RCE vulnerability exploited in these attacks, stems from a path traversal weakness in the PutContents API. The flaw allows threat actors to bypass the protections implemented for a previously patched remote code execution bug (CVE-2024-55947) by using symbolic links to overwrite files outside the repository.
While Gogs versions that addressed the CVE-2
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
# Executive Summary
- While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
- A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
- We identified over 700 compromised instances public-facing on the internet.
- Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
# Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live z
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
## Executive Summary
While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
We identified over 700 compromised instances public-facing on the internet.
Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
## Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero
2024-12-23
Published