U.S. CISA Adds Gogs Flaw to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in bolstering cybersecurity measures by adding a critical flaw affecting Gogs, a popular self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-8110, this vulnerability poses a serious threat, with a CVSS score of 8.7, indicating its high severity.
Understanding Gogs
Gogs, short for Go Git Service, is an open-source Git service designed for ease of use and lightweight performance. This platform allows developers to host their Git repositories in an efficient manner. However, like many software solutions, it isn’t immune to vulnerabilities, particularly when misconfigurations or design flaws arise.
The Nature of the Vulnerability
The flaw stems from improper symbolic link handling within the PutContents API of Gogs. In technical terms, a symbolic link is a file system object that points to another file. If not handled correctly, it can be manipulated to access files and directories outside the intended scope, leading to unauthorized actions.
The specifics of this vulnerability allow authenticated users to potentially overwrite files outside of the Gogs repository, which can escalate into Remote Code Execution (RCE). Such a breach not only jeopardizes the integrity of the affected system but can also enable attackers to execute arbitrary commands on the server.
Discovery and Response
This vulnerability was discovered by Wiz Research during an investigation related to a malware incident in July 2025. Following its identification, the Gogs development team acted promptly, patching the issue within a week. The researchers highlighted that this flaw is a bypass for a previously patched RCE vulnerability (CVE-2024-55947), showcasing a troubling trend in the handling of symlinks within Gogs.
The Implications of the Flaw
Wiz Research noted that during their investigation, over 700 instances of Gogs were found to be compromised, all displaying similar patterns. This suggests that a single actor or group may be leveraging automated tools to exploit this vulnerability, casting a wider net for potential attacks against public-facing Gogs instances.
The Gogs API flaw allows attackers to exploit Git’s symlink feature by creating a symlink within a repository that points to a file beyond the repository itself. When the API is invoked, the server follows the symlink without appropriate validation, thus overwriting the targeted file—potentially crucial system files like .git/config. This oversight enables attackers to execute commands, illustrating a significant flaw in the application’s defenses.
CISA’s Directive and Recommendations
Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to address vulnerabilities listed in the CISA catalog. Agencies must patch this vulnerability by February 2, 2026, to mitigate the risks posed by potential exploits.
Experts recommend that private organizations also review the CISA catalog actively. By doing so, they can identify and rectify vulnerabilities in their infrastructure. This proactive approach not only enhances individual security postures but collectively strengthens the cybersecurity landscape.
Summary of Key Points
- Vulnerability: Gogs has a path traversal flaw (CVE-2025-8110) with a CVSS score of 8.7.
- Impact: Allows authenticated users to overwrite files and execute code remotely.
- Discovery: Identified by Wiz Research during a malware investigation.
- Prevalence: Over 700 Gogs instances were found compromised.
- Response Requirement: CISA mandates fixes by February 2, 2026, for federal agencies.
For those managing systems that utilize Gogs or similar software, this serves as a poignant reminder of the importance of vigilant security practices. Monitoring known vulnerabilities and maintaining an updated infrastructure are critical components in the ongoing battle against cyber threats.
