A zero-day in the widely-used self-hosted Git service Gogs has been actively exploited since Dec. 1.Wiz researchers reported in a Dec. 10 blog post that a Shodan scan identified more than 1,400 exposed servers, 700 of them compromised instances public-facing on the internet.According to Wiz, the flaw, CVE-2025-8110, runs as a symlink bypass of a previously patched CVE-2024-55947, which lets authenticated users overwrite files outside the repository, leading to remote code execution (RCE).The maintainers are now working on a fix, but active exploitation continues in the wild.Written in Go, the Gogs Git service offers a lightweight alternative to GitLab or GitHub Enterprise and has become popular among developers for its ease of deployment and minimal resource usage. The Wiz researchers said because it’s self-hosted, it’s frequently found in both on-premises and cloud environments, often exposed to the internet to foster remote collaboration.John Bambenek, president at Bambenek Consulting, said organizations may elect to host their own source-code repositories with tools like Gogs, but if they do, they also need to secure them.First and foremost, developers should ask whether they need to list their repos on the open internet in the first place. More importantly, this flaw exploited permissive by-default permissions that let any user create repositories.“Organizations should lock down permissions and require all usage to be from authenticated users – ideally with SSO and MFA – and permissions be restricted so only a subset of users can create repositories and PRs need to be reviewed and approved,” said Bambenek.Mayuresh Dani, security research manager at Qualys, explained that CVE-2025-8110 is a symlink-based path traversal bypass in the PutContents API—the Gogs file modification endpoint. Because of this flaw, the API fails to validate the destination target of symbolic links, only checking the path parameter itself.Dani noted that “such symlink-based vulnerabilities in Git infrastructure are not unique to Gogs alone.”Based on this new information from the Wiz researchers, Dani said teams should do the following:
- Audit for all Gogs instances in their environments and focus on instances with versions ≤0.13.3 that have user registration enabled.
- Immediately disable "Open Registration" on all Gogs instances.
- Until an official patch gets released, enable read-only mode on critical repositories.
- Enable mandatory SSH key authentication and disable password-based Git access.
- Perform a symlink audit of all repositories to weed out suspicious symlinks that point outside expected repository boundaries.
