Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7ae55330-061d-41d6-a2c0-e83b2ba16235@oracle.com>
Date: Wed, 10 Dec 2025 15:18:28 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-8110 in Gogs self-hosted git service

https://github.com/gogs/gogs offers a MIT-licensed self-hosted git service.

https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit warns of
CVE-2025-8110, an as-yet-unfixed vulnerability in this service which they say
they are seeing being actively exploited.

It says:

> Executive Summary
> -----------------
> 
>     While investigating a malware infection on a customer workload,
>     Wiz Research discovered an active zero-day vulnerability in Gogs,
>     a popular self-hosted Git service.
> 
>     A symlink bypass (CVE-2025-8110) of a previously patched RCE
>     (CVE-2024-55947) allows authenticated users to overwrite files
>     outside the repository, leading to Remote Code Execution (RCE).
> 
>     We identified over 700 compromised instances public-facing on the internet.
> 
>     As of December 1, 2025, active exploitation is ongoing, and a
>     patch is not yet available.
> 
> Introduction
> ------------
> 
> On July 10th, the Wiz Threat Research team observed malware findings
> on public-facing instances of Gogs, a popular self-hosted Git
> service. What began as a routine investigation into an infected
> machine turned into the accidental discovery of a live zero-day
> vulnerability.
> 
> During our analysis of the exploitation attempts, we identified that
> the threat actor was leveraging a previously unknown flaw to
> compromise instances. We responsibly disclosed this vulnerability to
> the maintainers. They are currently working on a fix, but active
> exploitation continues in the wild.  What is Gogs
> 
> Gogs is a popular self-hosted Git service written in Go. It provides a
> lightweight alternative to GitLab or GitHub Enterprise and is popular
> among developers for its ease of deployment and minimal resource
> usage. Because it is self-hosted, it is frequently found in both
> on-premise and cloud environments, often exposed to the internet to
> enable remote collaboration.
> 
> The popularity of Gogs makes it a significant target. In our external
> scan, we identified over 1,400 Gogs servers publicly exposed to the
> internet. Many of these instances are configured with "Open
> Registration" enabled by default, creating a massive attack surface
> for the vulnerability described below.
> 
> What is CVE-2025-8110?
> ----------------------
> 
> CVE-2025-8110 is, effectively, a bypass for an earlier RCE vulnerability
> (CVE-2024-55947) originally discovered by ManassehZhou.
> 
> The History (CVE-2024-55947)
> ----------------------------
> 
> The previous flaw abused a path traversal weakness in the PutContents
> API. It allowed an attacker to write files outside the git repository
> directory, granting the ability to overwrite sensitive system files or
> configuration files to achieve code execution. The maintainers
> addressed this by adding input validation on the path parameter.
> 
> The Bypass (CVE-2025-8110)
> --------------------------
> 
> Unfortunately, the fix implemented for the previous CVE did not
> account for symbolic links.
> 
> This new bypass relies on two key facts:
> 
>  1. Git, and subsequently Gogs allows symbolic links to be used in git
>     repositories, and those symbolic links can point to objects
>     outside the repository
> 
>  2. Gogs API allows file modification outside of the regular git
>     protocol, and its previous iteration of this implementation didn’t
>     properly check for symbolic link abuse.
> 
> The Gogs API allows file modification outside of the regular git
> protocol, and while it now validates path names, it fails to validate
> the destination of a symbolic link. Because Gogs respects standard Git
> behavior, it allows users to commit symbolic links to repositories.
> The vulnerability arises because the API writes to the file path
> without checking if the target file is actually a symlink pointing
> outside the repo. This effectively renders the previous path
> validation useless if a symlink is involved.
> 
> The Attack Chain
> -----------------
> 
> The exploitation process is trivial for any user with repository
> creation permissions (enabled by default):
> 
>  1. The attacker creates a standard git repository.
> 
>  2. They commit a single symbolic link pointing to a sensitive target.
> 
>  3. Using the PutContents API, they write data to the symlink. The system
>     follows the link and overwrites the target file outside the repository.
> 
>  4. By overwriting .git/config (specifically the sshCommand), the
>     attacker can force the system to execute arbitrary commands.

[...]

> Disclosure Timeline
> -------------------
> 
> The patch status for this vulnerability is critical. Despite responsible
> disclosure, the vulnerability remains unpatched in the main branch as of
> this writing.
> 
>     July 10, 2025: First indication of exploitation observed by Wiz.
> 
>     July 15, 2025: Discovery of Supershell malware on a vulnerable machine.
> 
>     July 17, 2025: Vulnerability reported to Gogs maintainers.
> 
>     Oct 30, 2025: Acknowledgment of the vulnerability by Gogs maintainers.
> 
>     Nov 1, 2025: A second wave of attacks observed in the wild.
> 
>     Dec 10, 2025: The vulnerability has not yet been fixed.
> 
> Remediation & Mitigation
> ------------------------
> 
> Are you vulnerable? If you are running a Gogs server (version <= 0.13.3) that is:
> 
>  1. Exposed to the internet.
> 
>  2. Has open-registration enabled (default setting).
> 
> Then you are vulnerable to CVE-2025-8110.
> 
> Immediate Actions:
> 
>  1. If your instance does not require open-registration, disable this
>     immediately.
> 
>  2. Limit internet exposure. Place self-hosted Git services behind a VPN
>     or use an allow-list for IP addresses.
> 
>  3. Look for the creation of repositories with random 8-character names or
>     unexpected usage of the PutContents API.
> 

The original blog post at
    https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
has further details, including images that are missing from the plain
text quotations above.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.