CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added CVE-2025-8110 affecting the Gogs self-hosted Git service to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under BOD 22-01. The issue is described as a path traversal weakness that can be leveraged for remote code execution (RCE) in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances.
Technical reporting indicates the flaw resides in the PutContents API and can be abused by authenticated attackers using symbolic links to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., sshCommand) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate Gogs flaw by Feb. 2
With the KEV listing, CISA directed Federal Civilian Executive Branch agencies to remediate CVE-2025-8110 under Binding Operational Directive 22-01 by February 2, 2026. Guidance also included mitigations such as disabling open registration and restricting access to Gogs instances.
CISA adds CVE-2025-8110 to the KEV catalog
On January 12, 2026, CISA added the actively exploited Gogs vulnerability CVE-2025-8110 to its Known Exploited Vulnerabilities catalog. CISA said the flaw posed significant risk and urged organizations to prioritize remediation.
Patches for CVE-2025-8110 are released
Gogs released patches for CVE-2025-8110 in early January 2026, about a week before CISA's KEV announcement. The fixes addressed the symlink-based path traversal that enabled remote code execution.
Wiz reports large-scale exposure and compromise of Gogs servers
By late 2025, Wiz reported that roughly 1,400 Gogs instances were exposed to the internet and more than 700 public-facing instances showed signs of compromise. The company said the exploitation appeared widespread and likely driven by a single actor or toolset.
Wiz observes second wave of zero-day exploitation
On November 1, 2025, Wiz observed a second wave of in-the-wild exploitation targeting internet-facing Gogs instances. The activity appeared automated and involved indicators such as suspicious repositories with random eight-character names.
Gogs maintainers acknowledge the vulnerability report
Gogs maintainers acknowledged Wiz's report of CVE-2025-8110 on October 30, 2025. This marked the vendor's formal recognition of the issue before broader disclosure and remediation guidance.
Wiz reports CVE-2025-8110 to Gogs maintainers
Wiz reported the newly discovered Gogs vulnerability to the project's maintainers on July 17, 2025. The flaw was described as a bypass of the earlier CVE-2024-55947 fix through improper symbolic link handling.
Wiz discovers Gogs flaw during July malware investigation
Wiz Research identified CVE-2025-8110, a path traversal and symlink-handling flaw in Gogs' PutContents API, while investigating a malware infection on an internet-facing Gogs server in July 2025. The issue could let authenticated attackers write outside a repository and achieve remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Updated CISA exploited flaws list includes Gogs vulnerability | SC Media
scworld.com
Open sourceFed agencies urged to ditch Gogs as zero-day makes CISA list • The Register
go.theregister.com
Open sourceCISA Adds Gogs RCE Vulnerability CVE-2025-8110 to KEV
thecyberthrone.in
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog
cisa.gov
Open sourceCISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks
bleepingcomputer.com
Open sourceU.S. CISA adds a flaw in Gogs to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched **zero-day** in the self-hosted Git service **Gogs** that allows **authenticated remote code execution** through argument injection in the pull request rebase workflow. The flaw affects current releases including `0.14.2` and `0.15.0+dev`, and likely earlier versions that support rebase merging. An attacker can abuse the **"Rebase before merging"** feature by supplying a malicious branch name that is passed into a `git rebase` command without a proper option separator, enabling use of Git's `--exec` flag to run attacker-controlled shell commands as the Gogs server process user. The issue is rated **CVSSv4 9.4** and is considered especially dangerous on default-configured instances because **open registration** and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed **Gitea** flaw, `CVE-2026-27771`, that can expose private container images without authentication on versions prior to `1.26.2`.
Jun 8, 2026
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Mar 21, 2026
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
Mar 21, 2026