A recently exploited zero-day flaw in Gogs, a popular self-hosted Git service, remains unpatched and has allowed attackers to achieve remote code execution on Internet-facing instances, compromising hundreds of servers. Gogs is written in Go and is often used as an alternative to GitLab or GitHub Enterprise, with many deployments exposed publicly for remote collaboration.
The vulnerability, CVE-2025-8110, stems from a path traversal weakness in the PutContents API. Although patches for a prior remote code execution bug (CVE-2024-55947) addressed some directory-traversal protections, they did not validate the destination of symbolic links. Malicious actors can exploit this by creating repositories that contain symbolic links pointing to sensitive system files, then using PutContents to write data through the symlink, effectively overwriting targets outside the repository.
By overwriting critical Git configuration files, specifically the sshCommand setting, attackers can coerce target systems to run arbitrary commands. Wiz Research discovered the issue in July while investigating a malware infection on a customer’s publicly accessible Gogs server. Their investigation found over 1,400 Gogs servers exposed online, with more than 700 of them showing signs of compromise.
All breached instances analyzed shared strikingly similar indicators, including repositories with randomly generated eight-character names created in the same July timeframe, suggesting either a single actor or a coordinated group using automated tooling.
The researchers noted in their external scan that many Gogs servers are reachable publicly and that open registration is frequently enabled by default, which dramatically expands the attack surface. Wiz further identified that the deployed malware was built using Supershell, an open-source command-and-control framework that can establish reverse SSH tunnels through web services. Communication was observed with a C2 server at 119.45.176[.]196.
Gogs maintainers were alerted to the vulnerability on July 17, and a patch was still in development when they acknowledged the flaw on October 30. A second wave of attacks was detected on November 1 according to Wiz Research’s disclosure timeline.
Mitigation guidance for Gogs users is to disable open registration by default and restrict server access via VPN or an allow list. To check for compromise, look for unusual usage of the PutContents API and for repositories with randomly named eight-character identifiers.
Thought-provoking takeaway: as the attack surface of self-hosted development tools widens, traditional security assumptions—such as permissive open registrations—can become critical weak points. How aggressively should administrators harden defaults, even if it marginally impacts ease of collaboration? Share your stance and experiences in the comments.
