Overview
- CVE-2025-8110 abuses improper symbolic-link handling in the PutContents API to traverse paths and overwrite files outside a repository, bypassing protections added for CVE-2024-55947.
- Researchers observed exploitation since July 2025, with a second wave on November 1, and noted automated creation of repositories with random eight-character names.
- Wiz reported roughly 1,400 internet-exposed Gogs servers with more than 700 showing compromise indicators, while Censys counted about 1,600 exposed instances globally.
- CISA’s listing under BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate or apply mitigations by February 2, 2026.
- Maintainors and contributors have produced code-level fixes reflected in pull requests, but patched images are still rolling out, so users are urged to disable open registration, restrict access, and monitor for suspicious PutContents API activity.