A high-severity security vulnerability affecting Gogs has been actively exploited, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added it to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-8110 (CVSS score: 8.7), the vulnerability is related to a path traversal scenario in the repository file editor that may lead to code execution. "Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution," the CISA advisory stated.

Last month, Wiz revealed the vulnerability after claiming to have found it being used in zero-day attacks.

By creating a git repository, committing a symbolic link pointing to a sensitive target, and using the PutContents API to write data to the symlink, the vulnerability essentially gets around the safeguards put in place for CVE-2024-55947 to achieve code execution. As a result, the target file outside of the repository is overwritten and the underlying operating system navigates to the actual file the symlink points to. This behavior could be used by an attacker to gain code execution privileges by overwriting Git configuration files, particularly the sshCommand setting.

According to Wiz, 700 Gogs instances were found to be compromised. There are roughly 1,600 internet-exposed Gogs servers, most of which are in China (991), according to data from the attack surface management platform Censys. America.

(146), Russia (49), Germany (98), and Hong Kong (56). Although pull requests on GitHub indicate that the required code changes have been made, there are currently no patches that address CVE-2025-8110. One of the project maintainers stated last week that "both gogs/gogs:latest and gogs/gogs:next-latest will have this CVE patched once the image is built on main."

Users of Gogs are advised to use a VPN or an allow-list to restrict server access and disable the default open-registration setting in the absence of a fix. By February 2, 2026, Federal Civilian Executive Branch (FCEB) agencies must implement the required mitigations.