"CISA has ordered federal agencies to stop using Gogs or lock it down immediately after a high-severity vulnerability in the self-hosted Git service was added to its Known Exploited Vulnerabilities (KEV) catalog. The US cybersecurity agency added the path traversal flaw to the KEV list on Monday, triggering urgent remediation requirements for federal civilian executive branch (FCEB) agencies."
"The vulnerability, tracked as CVE-2025-8110, was first brought to light by Wiz security researchers in December who stumbled on the unpatched flaw in July while investigating malware on an infected machine. The bug allows authenticated users to bypass protections and overwrite arbitrary files on the host system, effectively granting remote code execution."
"Gogs, which is written in Go and allows users to host Git repositories on their own servers or cloud infrastructure, has yet to ship a fix for the flaw, leaving users scrambling for stopgaps such as disabling open registration and shielding instances behind VPNs. Wiz described the vulnerability as a bypass of a prior fix and easy to exploit with default settings enabled, noting: "Unfortunately, the fix implemented for the previous CVE did not account for symbolic links.""
CISA added a high-severity path traversal vulnerability in Gogs (CVE-2025-8110) to its Known Exploited Vulnerabilities catalog, imposing urgent remediation for federal civilian agencies. The flaw is actively weaponized and enables authenticated users to bypass protections and overwrite arbitrary host files, allowing remote code execution. Wiz researchers discovered the unpatched issue after investigating malware and found hundreds of internet-exposed instances already compromised and many more reachable online. Gogs has not released a fix, forcing operators to disable open registration, shield instances behind VPNs, or stop using the product. A prior patch did not account for symbolic links.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]