Active Exploitation of Gogs Vulnerability Exposes Self-Hosted Git Environments

Active Exploitation of Gogs Vulnerability Exposes Self-Hosted Git Environments

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting Gogs to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited in real-world attacks.

Tracked as CVE-2025-8110, the issue stems from improper handling of symbolic links in Gogs’ repository file editing functionality. When exploited, it allows attackers to write files outside the intended repository scope, potentially leading to remote code execution on the host system.

Attack overview

Security researchers report that attackers can:

• create a Git repository containing a symbolic link to a sensitive system file;

• abuse Gogs’ content update API to write data through the symlink;

• overwrite Git or SSH configuration files, enabling command execution.

This technique effectively bypasses earlier security controls and demonstrates a more advanced approach to targeting developer infrastructure.

Impact and exposure

Hundreds of compromised Gogs instances have already been identified. Many publicly accessible servers remain exposed, particularly in environments where Gogs is deployed as a lightweight, self-managed Git service without continuous security monitoring.

At the time of publication, no official patch has been released, although fixes are already being prepared by the project maintainers.

DIAMATIX Perspective

This incident highlights a recurring pattern we see across environments:
developer tools are increasingly targeted, yet often under-protected.

Self-hosted Git services:

• hold sensitive intellectual property;

• often run with elevated permissions;

• are frequently excluded from centralized security monitoring.

Path traversal vulnerabilities, especially in DevOps platforms, can quickly escalate into full system compromise. Until a patch is available, organizations must rely on defense-in-depth controls rather than waiting for a software update.

Recommended actions

• Restrict access to Gogs using VPNs or IP allow-lists.

• Disable open user registration.

• Monitor Git configuration files and system paths for unexpected changes.

• Prepare for immediate patch deployment once a fix is officially released.

Contact DIAMATIX

Trusted · Innovative · Vigilant

Sources:

• CISA – Known Exploited Vulnerabilities Catalog

• Wiz Research – Active exploitation analysis

• Censys – Internet-exposed Gogs servers data