cbcvebase.
CVE-2025-8110
published 2025-12-10

CVE-2025-8110: Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-02
Exploited in the wild
EPSS
76.54%
99.5th percentile
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Affected

2 ranges
VendorProductVersion rangeFixed in
gogs.iogogs0 – 0.13.3
gogsgogs<= 0.13.3

Detection & IOCsextracted from sources · hover to see the quote

path.git/config
  • Look for repositories with random 8-character names created during the attack windows (July 10, 2025 and November 1, 2025) — a hallmark of the automated exploitation campaign.
  • Monitor for suspicious or anomalous use of the PutContents API, especially writes that resolve through symbolic links to paths outside the repository directory.
  • Detect UPX-packed Go binaries compiled with the garble tool on Gogs host systems; these are characteristic of the Supershell C2 payload observed in this campaign.
  • Hunt for the Supershell C2 framework on compromised hosts — it establishes a reverse SSH shell communicating over web services for remote control.
  • Check .git/config on Gogs-hosted repositories for unexpected or modified sshCommand entries, which indicate post-exploitation persistence.
  • All infected instances shared the same pattern of 8-character random owner/repo names created within the same short time window (July 10th); use this as a hunting pivot across exposed Gogs instances.
  • ·Gogs instances with open registration enabled (the default) are exploitable by any unauthenticated user who self-registers, dramatically expanding the attack surface beyond authenticated users.
  • ·The CVE-2025-8110 bypass works even on instances that were patched against CVE-2024-55947, because the prior fix only validated path names but did not check symlink destinations.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
vulncheck9.8CRITICAL
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.