The vulnerability CVE-2025-8110 in Gogs arises from improper handling of symbolic links in the PutContents API used by the repository file editor. Specifically, the flaw allows an attacker to perform a path traversal attack by committing a symbolic link within a git repository that points to sensitive files outside the repository's directory structure. When the PutContents API writes data to this symbolic link, the underlying operating system follows the link and overwrites the target file outside the repository. This can be exploited to overwrite critical Git configuration files, such as the sshCommand setting, which can be manipulated to execute arbitrary code on the server hosting Gogs. The vulnerability effectively bypasses protections implemented for a previous vulnerability (CVE-2024-55947). The exploit requires the attacker to create a git repository and commit the malicious symbolic link, but does not require authentication if open registration is enabled. Wiz security researchers identified active exploitation in zero-day attacks and found approximately 700 compromised Gogs instances. According to Censys data, around 1,600 Gogs servers are exposed on the internet, with a notable number in Germany (98) among other countries. No official patches have been released yet, but code changes have been merged and will be included in upcoming Docker images (gogs/gogs:latest and gogs/gogs:next-latest). Until patches are available, recommended mitigations include disabling open registration and restricting access to trusted networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and requires federal agencies to implement mitigations by February 2, 2026.

For European organizations using Gogs, this vulnerability poses a significant risk of unauthorized remote code execution, potentially leading to full system compromise. Attackers could overwrite critical configuration files to gain persistent access or execute arbitrary commands, jeopardizing confidentiality, integrity, and availability of source code repositories and associated infrastructure. This could facilitate supply chain attacks, data theft, or disruption of development workflows. The presence of nearly 100 exposed Gogs servers in Germany, combined with the strategic importance of software development and supply chain security in Europe, heightens the threat. Organizations relying on Gogs for internal or public-facing Git repository management may face increased risk of targeted attacks, especially if default open registration is enabled or network access is unrestricted. The lack of an immediate patch increases exposure time, emphasizing the need for interim mitigations. Additionally, exploitation could impact compliance with European data protection regulations if sensitive data is accessed or altered.

European organizations should immediately audit their Gogs deployments to identify internet-exposed instances and verify if open registration is enabled. Disable open registration to prevent unauthorized repository creation and symbolic link commits. Restrict access to Gogs servers by implementing VPNs, IP allow-lists, or network segmentation to limit exposure to trusted users only. Monitor repository commits for suspicious symbolic links or unusual file modifications. Employ file integrity monitoring on critical configuration files such as Git sshCommand settings to detect unauthorized changes. Prepare to update Gogs to the patched versions once official releases are available, including rebuilding Docker images with the fixed code. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the PutContents API. Conduct internal awareness training for developers and administrators on this vulnerability and its exploitation vectors. Finally, integrate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.