The vulnerability CVE-2025-8110 in Gogs arises from improper handling of symbolic links in the PutContents API, which is part of the file update mechanism in this self-hosted Git service written in Go. Attackers exploit this flaw by creating a Git repository containing a symbolic link pointing outside the repository to sensitive files or directories. Using the API, they overwrite files outside the repository, including critical configuration files such as .git/config, specifically modifying the sshCommand to execute arbitrary code remotely. This leads to remote code execution (RCE) without requiring authentication or user interaction. The flaw effectively bypasses a previously patched RCE vulnerability (CVE-2024-55947) by exploiting the allowance of symbolic links in Git repositories and the API's capability to modify files beyond the Git protocol. Active exploitation has been observed since July 2025, with over 700 compromised Gogs instances identified out of approximately 1,400 exposed. The attackers deploy a Supershell-based payload, an open-source command-and-control framework often linked to Chinese threat actors, establishing reverse SSH shells to attacker-controlled servers. The campaign shows signs of a smash-and-grab style attack, with attackers leaving behind repositories with random 8-character names, indicating rapid exploitation without stealth. The vulnerability remains unpatched, and the Gogs development team is reportedly working on a fix. Additionally, the threat landscape includes abuse of leaked GitHub Personal Access Tokens (PATs) to gain initial access and move laterally across cloud environments, highlighting a broader risk to cloud-native development and deployment pipelines.

European organizations using Gogs for self-hosted Git services face severe risks including unauthorized remote code execution, full server compromise, data exfiltration, and potential lateral movement within cloud environments. The ability to overwrite arbitrary files and execute commands remotely threatens confidentiality, integrity, and availability of critical development infrastructure. Compromise could lead to theft or manipulation of source code, insertion of malicious code, disruption of development workflows, and exposure of sensitive credentials or secrets. Given the active exploitation and lack of a patch, organizations with internet-exposed Gogs instances are particularly vulnerable. The use of Supershell malware indicates potential for persistent backdoors and further exploitation. This threat also raises concerns about supply chain security and cloud environment integrity, especially as attackers leverage leaked GitHub PATs to escalate privileges and move across cloud service providers. The impact extends to regulatory compliance risks under GDPR and other European data protection laws if personal or sensitive data is exposed or manipulated.

1. Immediately disable open user registration on all Gogs instances to prevent unauthorized repository creation. 2. Restrict access to Gogs instances by limiting exposure to the internet using firewalls, VPNs, or IP whitelisting. 3. Conduct thorough scans of all repositories for suspicious 8-character random owner/repository names indicative of compromise. 4. Monitor logs and network traffic for anomalous SSH connections and unexpected API usage patterns. 5. Implement strict access controls and audit all privileged accounts interacting with Gogs. 6. Temporarily suspend use of the PutContents API or restrict its functionality until a patch is released. 7. Regularly back up repositories and configuration files to enable recovery from compromise. 8. Educate development and security teams about this vulnerability and the risks of symbolic link abuse. 9. Monitor official Gogs channels for patch releases and apply updates immediately upon availability. 10. Review and rotate any secrets or credentials stored in Git repositories or CI/CD pipelines to mitigate risks from leaked tokens. 11. Employ runtime detection tools to identify and block Supershell or similar C2 frameworks. 12. For cloud environments, audit GitHub PAT usage and enforce least privilege principles to reduce lateral movement risks.