"Attackers are actively exploiting a zero-day bug in Gogs, a popular self-hosted Git service, and the open source project doesn't yet have a fix. More than 700 instances have been compromised in the ongoing attacks, according to Wiz researchers, who described the zero-day discovery as "accidental" and say that it happened in July while they were investigating malware on an infected machine."
"The bug is tracked as CVE-2025-8110, and anyone running a Gogs server (version 0.13.3 or earlier) that is internet exposed and has open-registration enabled - this is the default setting - is vulnerable. CVE-2025-8110 is essentially a bypass of a previously patched bug (CVE-2024-55947) that allows authenticated users to overwrite files outside the repository, leading to remote code execution (RCE). The earlier RCE was discovered by Manasseh Zhou."
"Gogs is written in Go, and it allows users to host Git repositories on their own servers or cloud infrastructure, rather than using GitHub or another third party. Gogs, and Git in general, allow symbolic links (or symlinks). They act as pointers or shortcuts to another file or directory, and they can point to objects outside the repository. Additionally, the Gogs API allows file modification outside the regular Git protocol."
More than 700 internet-exposed Gogs instances with open registration have been compromised via a zero-day tracked as CVE-2025-8110. The flaw bypasses a previous patch (CVE-2024-55947) by abusing symbolic links to overwrite files outside repositories, enabling remote code execution. The vulnerability affects Gogs versions 0.13.3 and earlier. Gogs permits symlinks and its API allows file modifications outside normal Git protocols, creating an attack surface. The flaw was discovered accidentally during a malware investigation in July. Maintainers are working on a fix, but active exploitation is ongoing.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]