CVE-2025-8110
📋 TL;DR
CVE-2025-8110 is a path traversal vulnerability in Gogs' PutContents API that allows improper symbolic link handling, enabling authenticated attackers to write arbitrary files and achieve remote code execution. This affects Gogs instances with authenticated user access. The vulnerability stems from insufficient validation of symbolic links in file operations.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with root/system-level code execution, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Authenticated attackers achieving remote code execution with the privileges of the Gogs service account, potentially leading to repository manipulation, credential theft, and further network exploitation.
If Mitigated
Limited impact with proper network segmentation, minimal service privileges, and strict access controls preventing successful exploitation or lateral movement.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained; public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.0 and later
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-xxxx-xxxx
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Download Gogs version 0.14.0 or later from the official repository. 3. Stop the Gogs service. 4. Replace the existing Gogs binary with the new version. 5. Restart the Gogs service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Disable PutContents API
allTemporarily disable or restrict access to the vulnerable PutContents API endpoint.
Modify Gogs configuration to block or require additional authentication for the affected API endpoint.
Restrict User Permissions
allLimit authenticated users to minimal necessary permissions and implement strict access controls.
Review and adjust user roles and permissions in Gogs administration panel.
🧯 If You Can't Patch
- Implement network segmentation to isolate Gogs instances from critical systems.
- Deploy application-level firewalls or WAF rules to block suspicious API requests targeting the PutContents endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the Gogs version; if it's below 0.14.0, the system is vulnerable. Review logs for suspicious file write operations via the PutContents API.Check Version:
gogs --version or check the version in the Gogs web interface under Settings > About.Verify Fix Applied:
Confirm the Gogs version is 0.14.0 or higher and test that symbolic link handling in file operations is properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations via PutContents API, especially involving symbolic links or path traversal patterns.
Network Indicators:
- Suspicious HTTP requests to the PutContents endpoint with crafted parameters.
SIEM Query:
source="gogs.log" AND (PUT /api/v1/repos/*/contents/* OR path_traversal OR symlink)🔗 References
- http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
- http://www.openwall.com/lists/oss-security/2025/12/11/3
- http://www.openwall.com/lists/oss-security/2025/12/11/4
- http://www.openwall.com/lists/oss-security/2026/01/17/4
- http://www.openwall.com/lists/oss-security/2026/01/18/1
- http://www.openwall.com/lists/oss-security/2026/01/18/2
- https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6
- https://github.com/gogs/gogs/pull/8078
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110
