Overview
- Wiz disclosed CVE-2025-8110, a symlink bypass in Gogs’ PutContents API that lets authenticated users overwrite files outside repositories to achieve remote code execution.
- Roughly 1,400 Gogs instances are exposed online, and more than 700 show signs of compromise based on external scanning.
- The attack flow is simple for users with repository creation rights: create a repo, commit a symlink to a sensitive path, write via PutContents, then alter .git/config sshCommand to execute commands.
- Compromised servers commonly contain random 8-character repositories created around July 10 and a Supershell-based payload, including C2 infrastructure at 119.45.176[.]196.
- Gogs maintainers acknowledged the report on October 30 but have not released a fix, and Wiz advises disabling open registration, limiting exposure, and hunting for suspicious repos or PutContents usage.