Summary
CVE-2025-8110 is a high-severity Gogs flaw caused by improper symlink handling in the PutContents API. It allows file overwrites outside repositories, leading to local code execution. All versions before 0.13.3 are affected and exploited. Upgrading to Gogs 0.13.3 fixes the issue.
Urgent Actions Required
- Update Gogs to version 0.13.3 or later; all earlier versions are vulnerable.
- Limit access to Gogs and the PutContents API until patched.
- Watch for suspicious activity, like unexpected file changes or abnormal repository updates.
Which Systems Are Vulnerable to CVE-2025-8110?
Technical Overview
- Vulnerability Type: Local Code Execution via Improper Symbolic Link Handling
- Affected Software/Versions:
All Gogs versions prior to 0.13.3 - Attack Vector: Network (HTTP/HTTPS to Gogs API)
- CVSS Score: 8.7
- CVSS Vector: v4.0
- Attack Vector: Network
- Attack Complexity: Low
- Attack Requirements: None
- Privileges Required: Low
- User Interaction: None
- Vulnerable System Complexity: High
- Vulnerable System Integrity: High
- Vulnerable System Availability: High
- Subsequent System Confidentiality: None
- Subsequent System Integrity: None
- Subsequent System Availability: None
- Automatable: Yes
- Recovery: User
- Value Density: Concentrated
- Exploit Maturity: Attacked
- Patch Availability: Yes, available
Releases · gogs/gogs
How Does the CVE-2025-8110 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-8110?
Vulnerability Root Cause:
The flaw is due to improper symlink handling in the Gogs PutContents API. The API checks paths but does not validate symbolic links, allowing writes outside the repository. This can modify system files and enable code execution.
How Can You Mitigate CVE-2025-8110?
If immediate patching is delayed or not possible:
- Turn off open registration to stop untrusted users from creating repositories.
- Limit access to Gogs using a VPN or an IP allow list.
- Limit the exposure of the PutContents API to trusted users only.
- Monitor for unexpected repositories or abnormal file update activity, especially automated creations.
- Review repository contents for symbolic links pointing outside the repository path.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Self-hosted Gogs Git servers running vulnerable versions (versions earlier than 0.13.3).
- Internet-exposed Gogs instances accessible over the network.
- Gogs deployments with open registration enabled, allowing usercreated repositories.
Business-Critical Systems at Risk:
- Source code repositories hosted on the affected Gogs servers.
- Build and deployment environments connected to compromised Gogs instances.
- Server file systems where attackers can overwrite files via the PutContents API. Administrative configurations (e.g., files like .git/config) that can be modified to trigger code execution.
Exposure Level:
- Publicfacing Gogs servers are exposed to the internet, especially with open signups enabled.
- Instances allowing authenticated users to create repositories, which enables symlinkbased abuse.
- Unpatched deployments, where exploitation has been observed in the wild, and automation was reported.
Will Patching CVE-2025-8110 Cause Downtime?
Patch application impact: Low. Updating to Gogs 0.13.3 fixes the issue with minimal downtime.
How Can You Detect CVE-2025-8110 Exploitation?
Exploitation Signatures:
- Creation of new repositories with random 6–8 character names within a short time window
- Use of the PutContents API to modify files through symbolic links
- File changes that affect paths outside the repository directory
- Unexpected updates to sensitive files, such as .git/config
MITRE ATT&CK Mapping:
Indicators of Compromise (IOCs/IOAs):
- Repositories containing symbolic links pointing outside the repo
- Repositories created shortly before the file overwrite activity
- Outbound connections linked to reverse SSH shells
Behavioral Indicators:
- File overwrite activity occurring via normal-looking repository updates
- Repository creation followed immediately by file modification
- Persistent remote access established after overwrite
- Limited or no obvious error logs due to normal API usage
Alerting Strategy:
- Priority: High
- Alert on:
- Repository creation from unknown or newly created accounts
- Commits involving symbolic links
- File changes outside expected repository paths
- Indicators of reverse SSH or Supershell activity
Remediation & Response
Mitigation Steps if No Patch:
- Disable open user registration to prevent attackers from creating new repositories
- Remove direct internet exposure by placing Gogs behind a VPN, firewall allowlist, or authenticated reverse proxy
- Limit repository creation and API access to trusted users only
- Review repositories for random or newly created names and the presence of symbolic links
- Monitor PutContents API usage for unusual file update activity
Remediation Timeline:
- Immediate: Disable open registration and restrict external access
- Short term: Audit repositories and check for file overwrites or symlink abuse
- As soon as available: Upgrade to Gogs 0.13.3 or later, which addresses the issue
Incident Response Considerations:
- Treat internetexposed instances with open registration as potentially compromised
- Inspect repositories for unexpected symlinks or modified system-related files
- Look for indicators linked to Supershell or reverse SSH activity
- Review access and API logs around repository creation and file modification events
