Executive Summary

On January 12, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-8110, a high-severity path traversal vulnerability in the Gogs self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated CVSS 8.7, allows an authenticated attacker to achieve remote code execution (RCE) by exploiting improper handling of symbolic links (symlinks). CISA's action confirms active, in-the-wild exploitation of this vulnerability, which functions as a bypass for a previously patched issue (CVE-2024-55947). Due to the confirmed exploitation and the critical function Gogs serves in development pipelines, all organizations using this platform are urged to apply mitigations immediately, as official patches are still pending. Federal agencies have a strict remediation deadline of February 2, 2026.

Vulnerability Details

The vulnerability, CVE-2025-8110, is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory. It arises from Gogs's failure to properly validate symlinks within Git repositories when using the PutContents API. The patch for a prior RCE vulnerability, CVE-2024-55947, was incomplete and did not account for this vector.

An authenticated attacker can exploit this by:

1. Creating a new Git repository on the Gogs server.
2. Committing a symlink that points to a sensitive file outside the repository's intended directory, such as the .git/config file of another repository or a system-level configuration file.
3. Using the PutContents API to write content to this symlink.
4. The Gogs server incorrectly follows the symlink and overwrites the target file. A common attack path involves overwriting the .git/config file to inject a malicious sshCommand. When a git hook or operation involving SSH is triggered, this command executes with the permissions of the Gogs service account, leading to full RCE.

Affected Systems

• Product: Gogs (Go Git Service) - All versions prior to the forthcoming patched release are considered vulnerable.
• Deployment: The vulnerability impacts self-hosted Gogs instances. According to Censys data, there are approximately 1,600 internet-exposed Gogs servers, with the highest concentrations in China, the United States, and Germany.

Exploitation Status

CISA has confirmed active exploitation of CVE-2025-8110 in the wild. Research from Wiz previously identified over 700 compromised, publicly-facing Gogs instances related to this attack chain. The addition to the KEV catalog under Binding Operational Directive (BOD) 22-01 signifies a high level of threat and mandates urgent action from U.S. federal agencies.

Impact Assessment

Compromise of a Gogs server can have devastating consequences. Gogs instances are central to software development lifecycles, storing proprietary source code, intellectual property, and often credentials or API keys for other systems. An attacker with RCE on a Gogs server could:

• Steal or tamper with source code, introducing backdoors in a Supply Chain Attack.
• Exfiltrate sensitive credentials and pivot to other parts of the network.
• Disrupt development and deployment operations, causing significant business downtime.
• Use the compromised server as a launchpad for further attacks. Given that Gogs is often a core part of CI/CD pipelines, the blast radius of a successful exploit is extremely large, potentially impacting the integrity of all software built and managed by the system.

Cyber Observables for Detection

Security teams should hunt for signs of vulnerable Gogs instances and exploitation attempts. These are not IOCs but hunting indicators.

Detection & Response

Security teams should proactively hunt for and respond to potential exploitation.

Detection Strategies

1. Log Analysis: Ingest Gogs application and web server logs into a SIEM. Create alerts for multiple failed login attempts followed by a successful one, and for any write operations using the PutContents API that target unusual file paths or contain suspicious content (e.g., shell commands).
2. File Integrity Monitoring (FIM): Deploy FIM on the Gogs server to monitor critical files. Specifically, alert on any changes to .git/config files within repository directories, especially the addition of the [core] section with an sshCommand entry.
3. Network Traffic Analysis: (D3FEND: D3-NTA: Network Traffic Analysis) Monitor for unexpected outbound connections from the Gogs server. A compromised server might initiate connections to attacker-controlled C2 infrastructure.
4. Endpoint Detection and Response (EDR): Ensure EDR is deployed on the Gogs host. Look for suspicious process chains originating from the Gogs service process, such as gogs -> sh -> curl.

Response Actions

• If a compromise is suspected, immediately isolate the Gogs server from the network to prevent lateral movement.
• Preserve logs, repository data, and a full disk image for forensic analysis.
• Assume all code and credentials stored on the Gogs instance are compromised. Initiate credential rotation for all secrets and conduct a thorough source code review for any unauthorized modifications.

Mitigation

As of January 13, 2026, official patches have not been formally released. However, code changes are available in pull requests on the official Gogs GitHub repository.

Immediate Actions

1. Apply Pre-release Patch: For organizations with the capability, review and apply the code changes from the relevant pull requests on GitHub. This is the most direct mitigation.
2. Disable Public Registration: If not essential, disable public user registration on the Gogs instance to limit the attack surface to known, trusted users.
3. Restrict API Access: If possible, implement reverse proxy rules or web application firewall (WAF) rules to block or alert on suspicious patterns in requests to the PutContents API endpoint.
4. Discontinue Use: Per CISA's advice, if patching is not feasible, organizations should consider discontinuing use of the product until a stable, patched version is available.

Strategic Hardening

• Principle of Least Privilege: (D3FEND: D3-UAP: User Account Permissions) Run the Gogs service with a dedicated, low-privilege user account with restricted file system access.
• Network Segmentation: (D3FEND: D3-NI: Network Isolation) Isolate the Gogs server in a separate network segment. Restrict outbound internet access to only what is absolutely necessary.
• Regular Auditing: Implement regular reviews of Gogs user accounts, repository permissions, and audit logs to detect anomalous activity.