A CISA advisory added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog on January 12 2026 after active exploitation was observed. The bug is a path traversal in Gogs with a CVSS score of 8.7.
KEY FACTS
- Incident Active exploitation prompted addition to the KEV catalog
- Vulnerability CVE-2025-8110 is a path traversal in the PutContents API
- Impact Exploitation can enable remote code execution by overwriting files
- Scope About 1,600 exposed Gogs servers and several hundred compromised instances
The flaw stems from improper symbolic link handling in the PutContents API. A repository can contain a symlink that points outside the repository. Writing to that symlink causes the operating system to follow the link and overwrite the external target file.
By overwriting Git configuration, for example the sshCommand setting, an attacker can obtain code execution on the host running the Gogs instance. The vulnerability effectively bypasses protections implemented for a prior related issue.
Public reporting shows roughly 1,600 internet-exposed Gogs servers and several hundred compromised instances. The largest exposed populations are reported in China, the United States and Germany.
There are no official patches for CVE-2025-8110 at this time. Pull requests on GitHub include code changes that address the issue and the downstream images will be updated once main is rebuilt. Operators are advised to disable open registration and restrict access with a VPN or allow list. Federal civilian agencies must apply required mitigations by February 2 2026.
WHY IT MATTERS
The vulnerability enables remote code execution on exposed Gogs servers, increasing risk for organizations that run internet-accessible instances. Applying mitigations or deploying the patched images when available will reduce exposure.