Security researchers have reported active exploitation of a high-severity, unpatched vulnerability in the Go-based self-hosted Git service Gogs, with more than 700 compromised instances accessible on the internet, according to research published by Wiz. The flaw has been assigned CVE-2025-8110 and carries a CVSS score of 8.7.
The vulnerability is a file-overwrite issue in Gogs’ file update API that stems from improper handling of symbolic links, enabling writes outside a repository and local code execution, Wiz and the CVE record note. Wiz said it discovered the flaw in July 2025 while investigating a customer malware infection.
Wiz researchers described CVE-2025-8110 as a bypass for a previously patched remote code execution defect, CVE-2024-55947, which was fixed in December 2024. The new exploit leverages the fact that Git repositories may contain symbolic links that point outside the repository and that Gogs’ API permits file modifications outside the normal Git protocol.
According to the researchers, the exploitation sequence can be carried out in four steps: create a git repository, commit a symbolic link to a sensitive target, use the PutContents API to write to that symlink so the system follows it and overwrites the target, and modify the repository configuration (including the sshCommand in .git/config) to execute arbitrary commands on the server.
The activity observed by Wiz dropped a payload based on the open-source Supershell command-and-control framework that can establish a reverse SSH shell to an attacker-controlled server (reported as 119.45.176[.]196). Researchers Gili Tikochinski and Yaara Shriki said the attackers left behind created repositories with 8-character random owner/repository names, suggesting a single actor or a group using the same tooling was responsible for infections that began around July 10, 2025.
With no official fix available at this time, Wiz advised users to disable open registration, reduce internet exposure of Gogs instances and scan for repositories with random eight-character names. The company also warned that threat actors are targeting leaked GitHub Personal Access Tokens and used them to find and misuse GitHub Action secrets; researcher Shira Ayal has described how compromised tokens were used to discover secret names and execute malicious workflows.