CVE-2025-8110
published 2025-12-10CVE-2025-8110: Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-02
Exploited in the wild
EPSS
76.54%
99.5th percentile
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | 0 – 0.13.3 | — |
| gogs | gogs | <= 0.13.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for repositories with random 8-character names created during the attack windows (July 10, 2025 and November 1, 2025) — a hallmark of the automated exploitation campaign. ↗
- →Monitor for suspicious or anomalous use of the PutContents API, especially writes that resolve through symbolic links to paths outside the repository directory. ↗
- →Detect UPX-packed Go binaries compiled with the garble tool on Gogs host systems; these are characteristic of the Supershell C2 payload observed in this campaign. ↗
- →Hunt for the Supershell C2 framework on compromised hosts — it establishes a reverse SSH shell communicating over web services for remote control. ↗
- →Check .git/config on Gogs-hosted repositories for unexpected or modified sshCommand entries, which indicate post-exploitation persistence. ↗
- →All infected instances shared the same pattern of 8-character random owner/repo names created within the same short time window (July 10th); use this as a hunting pivot across exposed Gogs instances. ↗
- ·Gogs instances with open registration enabled (the default) are exploitable by any unauthenticated user who self-registers, dramatically expanding the attack surface beyond authenticated users. ↗
- ·The CVE-2025-8110 bypass works even on instances that were patched against CVE-2024-55947, because the prior fix only validated path names but did not check symlink destinations. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
vulncheck9.8CRITICAL
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
osv·2025-12-15·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs
GHSA
Gogs vulnerable to a bypass of CVE-2024-55947
ghsa·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] CWE-22 Gogs vulnerable to a bypass of CVE-2024-55947
Gogs vulnerable to a bypass of CVE-2024-55947
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
OSV
Gogs vulnerable to a bypass of CVE-2024-55947
osv·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs vulnerable to a bypass of CVE-2024-55947
Gogs vulnerable to a bypass of CVE-2024-55947
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
VulnCheck
Gogs Path Traversal Vulnerability
vulncheck·2025·CVSS 8.7
CVE-2025-8110 [HIGH] CWE-22 Gogs Path Traversal Vulnerability
Gogs Path Traversal Vulnerability
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
Affected: Gogs Gogs
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/december-2025-cve-landscape; https://hunt.io/blog/china-hosting-malware-c2-infrastructure; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025; https://www.recordedfut
VulnCheck
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-46747 [CRITICAL] CWE-288 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.
Affected: F5 BIG-IP Configuration Utility
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/blog/active-exploita
CISA
Gogs Path Traversal Vulnerability
cisa·2026-01-12·CVSS 8.7
CVE-2025-8110 [HIGH] CWE-22 Gogs Path Traversal Vulnerability
Vulnerability: Gogs Path Traversal Vulnerability
Affected: Gogs Gogs
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8110
Remediation Due Date: 2026-02-02
No detection rules found.
Nuclei
Gogs <= 0.13.3 - Remote Code Execution
nuclei·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs <= 0.13.3 - Remote Code Execution
Gogs <= 0.13.3 - Remote Code Execution
Gogs self-hosted Git service versions 0.13.3 and earlier contain a critical symlink bypass vulnerability that circumvents the fix for CVE-2024-55947. Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution. As of December 2025, this remains an unpatched zero-day with active exploitation ongoing. Approximately 1,400 exposed Gogs instances exist, with over 700 showing signs of compromise. The vulnerability stems from the API writing to file paths without checking if targets are symlinks pointing outside the repository. Gogs maintainers are working on a fix.
Template:
id: CVE-2025-8110
info:
Bleepingcomputer
Gogs patches critical zero-day enabling remote code execution
blogs_bleepingcomputer·2026-06-08
CVE-2024-39933 Gogs patches critical zero-day enabling remote code execution
## Gogs patches critical zero-day enabling remote code execution
## Sergiu Gatlan
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security resear
Bleepingcomputer
New Gogs zero-day flaw lets hackers get remote code execution
blogs_bleepingcomputer·2026-05-28·CVSS 7.7
CVE-2024-39933 [HIGH] New Gogs zero-day flaw lets hackers get remote code execution
## New Gogs zero-day flaw lets hackers get remote code execution
## Sergiu Gatlan
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·2026-02-24·CVSS 7.8
[HIGH] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
## January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
Microsoft and SmarterTools lead concerns: These vendors accounted
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·2026-01-13·CVSS 10.0
CVE-2025-55182 [CRITICAL] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
## December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept
Bleepingcomputer
CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-01-12·CVSS 8.7
CVE-2025-8110 [HIGH] CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
## CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.
Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration.
Tracked as CVE-2025-8110 , this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Attackers can abuse this flaw by creating repos con
Bleepingcomputer
Hackers exploit unpatched Gogs zero-day to breach 700 servers
blogs_bleepingcomputer·2025-12-11·CVSS 8.7
CVE-2025-8110 [HIGH] Hackers exploit unpatched Gogs zero-day to breach 700 servers
## Hackers exploit unpatched Gogs zero-day to breach 700 servers
## Sergiu Gatlan
An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers.
Written in Go and designed as an alternative to GitLab or GitHub Enterprise, Gogs is also often exposed online for remote collaboration.
CVE-2025-8110 , the Gogs RCE vulnerability exploited in these attacks, stems from a path traversal weakness in the PutContents API. The flaw allows threat actors to bypass the protections implemented for a previously patched remote code execution bug (CVE-2024-55947) by using symbolic links to overwrite files outside the repository.
While Gogs versions that addressed the CVE-2
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
# Executive Summary
- While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
- A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
- We identified over 700 compromised instances public-facing on the internet.
- Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
# Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live z
Wiz
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
blogs_wiz·2025-12-10·CVSS 8.7
CVE-2025-8110 [HIGH] Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
## Executive Summary
While investigating a malware infection on a customer workload, Wiz Research discovered an active zero-day vulnerability in Gogs, a popular self-hosted Git service.
A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).
We identified over 700 compromised instances public-facing on the internet.
Update: As of January 23, 2026, a fix has been issued in version v0.13.4.
## Introduction
On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Wiz
CVE-2025-8110 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-8110 [HIGH] CVE-2025-8110 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8110 :
Gogs vulnerability analysis and mitigation
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Source : NVD
## 8.7
Score
Published December 10, 2025
Severity HIGH
CNA Score 8.7
High-profile Vulnerability Yes
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.6
Exploitation Probability (EPSS) 21.1
Affected packages and libraries
gogs
cpe:2.3:a:gogits:gogs
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity HIGH No Fix Added at: Jan 14, 2026
GoLang Severity HIGH No Fix Added at: Dec 11, 2025
Homebrew Severity HIGH No Fix Added at: Jan 14, 2026
Nix Seve
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploithttp://www.openwall.com/lists/oss-security/2025/12/11/3http://www.openwall.com/lists/oss-security/2025/12/11/4http://www.openwall.com/lists/oss-security/2026/01/17/4http://www.openwall.com/lists/oss-security/2026/01/18/1http://www.openwall.com/lists/oss-security/2026/01/18/2https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6https://github.com/gogs/gogs/pull/8078https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110
2025-12-10
Published
2026-01-12
Added to CISA KEV
Exploited in the wild