Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the Gogs self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior.
Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Forgejo and Gitea are reported likely unaffected
In an oss-security follow-up on December 11, 2025, a Forgejo developer said the relevant code in Gitea, and therefore Forgejo, had previously been rewritten and attack attempts had not succeeded. This indicated the notable Gogs forks were most likely not affected by CVE-2025-8110.
Reports detail Supershell malware use and scale of compromise
Public reporting on December 10-11, 2025 tied the exploitation to Supershell C2 malware and estimated that over 700 of roughly 1,400-1,500 internet-facing Gogs instances showed signs of compromise. Researchers said the attacks appeared opportunistic, widespread, and likely run by a single actor or group.
CVE-2025-8110 is published in vulnerability databases
On December 10, 2025, CVE-2025-8110 was formally published with high-severity scoring and descriptions of the PutContents API symlink handling flaw in Gogs. Public proof-of-concept and technical details were also referenced by vulnerability feeds.
Wiz publicly discloses active exploitation of CVE-2025-8110
Wiz published research on December 10, 2025 describing CVE-2025-8110 as an actively exploited Gogs zero-day affecting version 0.13.3 and earlier. The disclosure said more than 700 public-facing instances had been compromised, no patch was yet available, and published indicators of compromise and mitigations were provided.
Second wave of Gogs zero-day attacks begins
Researchers observed a renewed wave of exploitation starting on November 1, 2025, showing the campaign was ongoing months after initial abuse began. Reports describe the activity as automated and likely conducted by a single actor or group.
Gogs maintainers acknowledge the reported vulnerability
According to later reporting, Gogs maintainers acknowledged Wiz's report in October 2025, but no patch had been released at that time. The issue remained unresolved despite prior responsible disclosure.
Attackers begin exploiting CVE-2025-8110 against exposed Gogs servers
Evidence cited by multiple reports indicates exploitation began around July 2025, including suspicious repositories with random eight-character names created around July 10. The campaign targeted internet-exposed Gogs instances with open registration enabled.
Wiz discovers Gogs symlink bypass zero-day and reports it to maintainers
Wiz Research discovered CVE-2025-8110 in Gogs during a malware investigation and responsibly disclosed the issue to Gogs maintainers in July 2025. The flaw is a symlink-based bypass of the earlier CVE-2024-55947 protections and can lead to remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
Re: CVE-2025-8110 in Gogs self-hosted git service
seclists.org
Open sourceRe: CVE-2025-8110 in Gogs self-hosted git service
seclists.org
Open sourceGogs 0-Day Vulnerability Exploited in the Wild to Hack 700+ Instances
cybersecuritynews.com
Open sourceAttackers Exploited Gogs Zero-Day Flaw for Months
darkreading.com
Open sourceGogs 0-Day Exploited in the Wild
wiz.io
Open sourceCVE-2025-8110: File overwrite in file update API in Gogs
secalerts.co
Open sourceCVE-2025-8110
tenable.com
Open sourceGogs 0-Day Exploited in the Wild
wiz.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched **zero-day** in the self-hosted Git service **Gogs** that allows **authenticated remote code execution** through argument injection in the pull request rebase workflow. The flaw affects current releases including `0.14.2` and `0.15.0+dev`, and likely earlier versions that support rebase merging. An attacker can abuse the **"Rebase before merging"** feature by supplying a malicious branch name that is passed into a `git rebase` command without a proper option separator, enabling use of Git's `--exec` flag to run attacker-controlled shell commands as the Gogs server process user. The issue is rated **CVSSv4 9.4** and is considered especially dangerous on default-configured instances because **open registration** and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed **Gitea** flaw, `CVE-2026-27771`, that can expose private container images without authentication on versions prior to `1.26.2`.
Jun 8, 2026
CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added **CVE-2025-8110** affecting the *Gogs* self-hosted Git service to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under **BOD 22-01**. The issue is described as a **path traversal** weakness that can be leveraged for **remote code execution (RCE)** in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances. Technical reporting indicates the flaw resides in the `PutContents` API and can be abused by authenticated attackers using **symbolic links** to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., `sshCommand`) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
Mar 21, 2026
Arbitrary File Deletion Flaw in Gogs Wiki Update Enables Path Traversal
Gogs disclosed a security advisory for an **arbitrary file deletion** vulnerability in its wiki page update functionality, tracked as `GHSA-jp7c-wj6q-3qf2`. The flaw stems from a **path traversal** issue that can let an attacker manipulate file paths during wiki updates and delete files outside the intended directory, creating a risk to repository integrity and server-side data stored by the self-hosted Git service. A public repository referencing `CVE-2026-24135` later documented the same issue as an arbitrary file deletion bug in Gogs caused by wiki path traversal, indicating that technical details are now publicly accessible. Organizations running Gogs should review exposed wiki features, assess whether untrusted users can modify wiki content, and prioritize vendor guidance and patching to prevent unauthorized deletion of application or system files.
May 25, 2026