CISA Warns of Zero-Day, High-Severity Gogs Vulnerability That Enables Remote Code Execution and Is Being Actively Exploited in the Wild. See how attackers are exploiting it and how you can protect your Git repos.
Recently, CISA has included a critical zero-day vulnerability in Gogs on the Known Exploited Vulnerabilities (KEV) list, as it has been noted that malicious actors have been actively exploiting this high vulnerability. Gogs is an open-source Git platform that allows users to collaborate on code on their own server.
This vulnerability is a path traversal issue in Gogs’ repository file editor, which is caused by the improper use of symbolic links. The vulnerability allows an attacker to write files outside of the repository, which may cause remote code execution attacks. This, in turn, demands that defensive actions be taken against vulnerable servers.
How the Gogs Flaw Works
An attacker abuses a symbolic link to gain code execution. They create a repository and commit a symlink pointing to a sensitive file. Next, they use the file editor API to write malicious data via the symlink.
Exploitation Workflow
Step-by-Step RCE Analysis // CVE-2025-8110Repository
to Target
Request
Traversal
Execution
The server then follows the link and overwrites the target file outside the repository. This allows the attacker to alter Gogs’ config (e.g. the sshCommand), enabling arbitrary code execution.
- Create a Gogs repository on the server.
- Add a symbolic link in the repo pointing to a critical file (e.g. SSH config).
- Use the file editor API to write data through that symlink.
- The server follows the symlink and overwrites the target file outside the repo.
- By altering
.git/config(such as thesshCommand), the attacker gains remote code execution.
Active Zero-Day Exploitation
This vulnerability has been actively used in the wild for the purpose of true zero-day attacks. Security researchers detected the ongoing attacks on the Gogs application since mid-2025, with several waves of attacks identified, which clearly shows that the attackers are exploiting this vulnerability on a regular basis.
Patch Availability and Development Status
Even though the fixes for CVE-2025-8110 were merged into the Gogs repository, the official fixed release had not been entirely distributed at the time of the initial reports. It is important that Gogs releases be closely monitored in order for the fixed version with symlink-aware path validation to be implemented.
Scope of the Threat
The range of A large attack surface has been discovered for this vulnerability. More than 700 Gogs servers were compromised. In total, approximately 1,400-1,600 instances are vulnerable and exposed to the public internet. Moreover, many of the current implementations have default settings enabled (e.g., open registration). Some of the key findings include:
Gogs Global Threat Map
Intelligence Summary // Attack Surface Analysis- 700+ compromised servers observed.
- ~1,400–1,600 public instances of Gogs worldwide.
- Countries: China (991 servers), USA (146), Germany (98).
Mitigations and Recommendations
However, no official patch is available (fixes have been merged but not released). In the meantime, experts recommend the following mitigations:
- Disable Gogs’ default open-registration (no public sign-ups).
- Restrict server access to trusted networks (use VPNs or firewall allow-lists).
- Apply the official patch as soon as it is released.
- Monitor Gogs logs for suspicious activity (e.g. random repos or unusual API calls).
- Note: U.S. federal agencies must implement mitigations by Feb 2, 2026.
For example, disabling open registration prevents unauthorized accounts from being created. Moreover, watching for abnormal repository creation or API use can detect active exploits in progress.
