A zero-day vulnerability in the self-hosted Git service Gogs is actively exploited, compromising over 700 instances. The bug allows for remote code execution (RCE) and affects internet-exposed servers running older versions with open registration. Mitigation steps include disabling open registration and restricting internet exposure.
A critical zero-day vulnerability in Gogs , a popular self-hosted Git service, is being actively exploited, with over 700 instances already compromised. The open-source project is currently without a patch, leaving vulnerable servers exposed to remote code execution (RCE) attacks. Security researchers at Wiz accidentally discovered the flaw in July while investigating malware on an infected machine.
They subsequently reported the vulnerability to Gogs maintainers, who are working on a fix, but exploitation continues in the wild, posing a significant threat to organizations and individuals using the software. The vulnerability, tracked as CVE-2025-8110, affects all internet-exposed Gogs servers running version 0.13.3 or earlier that have open registration enabled, a default setting. The impact is severe, allowing attackers to overwrite files outside the repository and execute arbitrary commands, potentially leading to complete system compromise.\The vulnerability is a bypass of a previously patched bug (CVE-2024-55947), which addressed an earlier RCE flaw. Gogs, written in Go, allows users to host Git repositories on their own servers or cloud infrastructure, offering an alternative to services like GitHub. The core issue lies in Gogs' handling of symbolic links (symlinks), which are pointers to other files or directories. The Gogs API allows file modification outside the standard Git protocol. The initial fix for CVE-2024-55947 didn't adequately address the misuse of symlinks, creating an attack vector that allows attackers to overwrite critical files. The exploitation process is relatively simple for anyone with repository creation permissions, which are enabled by default. Attackers can create a symbolic link, use the PutContents API to write data to it, and overwrite a target file outside the repository. Specifically, they can overwrite the .git/config file, and by modifying the sshCommand setting, they can force the system to execute malicious commands. This can lead to a complete takeover of the server, allowing attackers to steal data, install malware, or disrupt operations. Wiz's analysis revealed that the attacks involved the creation of repositories with random 8-character names and the use of the Supershell remote command-and-control framework.\Approximately 1,400 Gogs instances are exposed to the internet, and over 700 of them have been confirmed as compromised. The observed attacks involved repositories created on July 10, utilizing a payload that employed the Supershell framework. The researchers' initial assessment suggests that the attackers may be based in Asia, based on the use of Supershell, which has been linked to previous attacks. While Wiz was able to quickly remove the malware in the environments they had visibility into, they acknowledge they lack visibility into the post-exploitation activity on other compromised servers. Wiz recommends immediate action to mitigate the risk, including disabling open registration if not required and restricting internet exposure by placing self-hosted Git services behind a VPN. Furthermore, users should monitor for newly created repositories with random 8-character names, and any unusual use of the PutContents API, as indicators of compromise. The security team at Gogs is actively working on a fix, but the exact timeline is not yet available. Until a patch is released, users must rely on these mitigation strategies to protect their systems from exploitation. The active exploitation and the ease of compromise highlight the importance of timely patching and proactive security measures in managing self-hosted infrastructure. Further updates will be provided as more information becomes available from Gogs and Wiz
Gogs Zero-Day Vulnerability Git Remote Code Execution (RCE)
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Hospitals shut wards and declare critical incidents - how flu is gripping the NHSNHS bosses fear cases could spike higher than ever this week
Read more »
One person shot dead, another critical tin Kentucky State shootingOfficials have said the suspect is in custody after a gunman opened fire at Kentucky State University (KSU) in Frankfort.
Read more »
Salford libraries, museums and leisure centres in 'critical' position as firm handed £500k bailoutSalford Community Leisure was previously handed £350,000 by Salford council in February
Read more »
Burnley teen thought her sickness was flu before being rushed to critical care unit“I still struggle to process what has happened to me'
Read more »
Zero-Day Vulnerability in Gogs Git Service Exploited in Active AttacksAttackers are actively exploiting a zero-day vulnerability (CVE-2025-8110) in Gogs, a self-hosted Git service, leading to the compromise of over 700 instances. The bug bypasses a previous fix and allows remote code execution (RCE). Gogs users with internet-exposed servers running version 0.13.3 or earlier with open registration enabled are vulnerable, with the exploitation involving symbolic link abuse and file modification outside the regular Git protocol.
Read more »
Police Scotland 'critical incident' after problems with new 999 call centrePolice Scotland set up a 'critical incident' alert after civilian staff reported problems with a new call handling system including delays answering 999 and 101 calls.
Read more »