Critical Unpatched Gogs Zero-Day Exploited in Over 700 Instances
A critical security vulnerability in Gogs, a widely used self-hosted Git service, has been actively exploited, compromising over 700 instances accessible via the internet. This flaw, identified as CVE-2025-8110 with a CVSS score of 8.7, involves improper handling of symbolic links in the PutContents API, allowing authenticated users to execute remote code on the server.
Discovery and Exploitation
The vulnerability was discovered in July 2025 during an investigation into a malware infection on a customer’s machine. Researchers found that attackers were exploiting this zero-day flaw to gain unauthorized access to Gogs instances. Despite responsible disclosure to Gogs maintainers in July and their acknowledgment in October, no patch has been released as of December 12, 2025.
Technical Details
CVE-2025-8110 serves as a bypass for a previously patched remote code execution flaw, CVE-2024-55947. The original fix addressed path traversal issues but failed to account for symbolic links. Attackers exploit this oversight by creating a repository, committing a symbolic link pointing to a sensitive file outside the repository, and using the PutContents API to write data to it. This process allows them to overwrite critical files like `.git/config`, injecting malicious commands into the `sshCommand` parameter to achieve remote code execution.
Scope of Compromise
An analysis revealed approximately 1,400 public-facing Gogs instances, with over 700 showing signs of compromise. The attacks exhibit a distinct, automated pattern, with repositories featuring random 8-character names created around July 10, 2025. This suggests a smash-and-grab style campaign rather than a stealthy espionage operation.
Malware Deployment
Once inside, attackers deploy a sophisticated payload constructed using the Supershell framework, an open-source Command and Control (C2) platform. Supershell establishes a reverse SSH shell, granting attackers full remote control over the compromised system. The malware is heavily obfuscated using tools like garble and UPX packing, complicating static analysis and detection.
Mitigation Recommendations
Given the absence of an official patch, administrators running Gogs (version 0.13.3 or earlier) should take immediate action:
1. Disable Open Registration: If not required, disable the open-registration feature to prevent unauthorized account creation.
2. Restrict Internet Exposure: Place the Gogs service behind a VPN or implement IP allow-listing to limit access.
3. Monitor for Suspicious Activity: Check for repositories with random 8-character names, which may indicate compromise.
By implementing these measures, administrators can reduce the risk of exploitation until an official patch becomes available.
