"The vulnerability essentially bypasses protections put in place for CVE-2024-55947 to achieve code execution by creating a git repository, committing a symbolic link pointing to a sensitive target, and using the PutContents API to write data to the symlink. This, in turn, causes the underlying operating system to navigate to the actual file the symlink points to and overwrites the target file outside the repository. An attacker could leverage this behavior to overwrite Git configuration files, specifically the sshCommand setting, giving them code execution privileges."
"Wiz said it identified 700 compromised Gogs instances. According to data from the attack surface management platform Censys, there are about 1,600 internet-exposed Gogs servers. There are currently no patches that address CVE-2025-8110, although pull requests on GitHub show that the necessary code changes have been made. 'Once the image is built on main, both gogs/gogs:latest and gogs/gogs:next-latest will have this CVE patched,' one of the project maintainers said last week."
CISA added CVE-2025-8110 to the Known Exploited Vulnerabilities catalog due to active exploitation. The flaw is a path traversal caused by improper symbolic link handling in Gogs' PutContents API that can lead to code execution. Attackers create repositories, commit symlinks to sensitive targets, and use PutContents to write through the symlink, causing the OS to overwrite files outside the repository. Overwritten Git configuration, such as sshCommand, can grant code execution. Wiz identified 700 compromised Gogs instances. Approximately 1,600 internet-exposed Gogs servers exist, mostly in China, with no official patch yet despite GitHub pull requests.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]