CVE-2025-8110
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-11
Assigner: Wiz
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | 0.13.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8110 is a critical remote code execution vulnerability in Gogs, a self-hosted Git service. It arises from improper handling of symbolic links in the PutContents API. Authenticated users with repository creation permissions can create symbolic links pointing outside the repository and use the API to overwrite sensitive system files like .git/config. By modifying .git/config, attackers can execute arbitrary code on the host system. This vulnerability bypasses a previous patch that did not account for symbolic links, enabling attackers to gain control over affected systems. [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary code on the host running Gogs by overwriting critical system files through symbolic links. Exploitation can lead to full system compromise, including remote control via malware such as the Supershell framework, which establishes reverse SSH shells. Over 700 publicly exposed Gogs instances have been confirmed compromised, indicating a high risk of infection. The attack can result in unauthorized access, data breaches, and control over the affected infrastructure. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-8110 can be performed by monitoring for suspicious repository creation with random 8-character names and unusual usage of the PutContents API in Gogs. Additionally, agentless malware detection using YARA rules and runtime behavioral sensors can help identify exploitation attempts. Monitoring network traffic for connections to known Supershell C2 server IP 119.45.176.196 and payload servers 106.53.108.81 and 119.91.42.53 is also recommended. Specific commands are not provided in the resource, but monitoring logs for repository creation patterns and API calls, as well as scanning with YARA rules, are suggested detection methods. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling open registration on Gogs if it is not required, limiting internet exposure by placing Gogs behind VPNs or IP allow-lists, and monitoring for suspicious repository creation and unusual PutContents API usage. Since no patch is available as of December 10, 2025, these measures help reduce the attack surface and prevent exploitation. [1]