Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

Dec. 21, 2025, 6:57 p.m.

Description

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution. Over 700 compromised instances have been identified on the internet. The vulnerability affects Gogs servers (version <= 0.13.3) exposed to the internet with open-registration enabled. The attack chain involves creating a repository with a symbolic link, then using the PutContents API to overwrite sensitive files. The malware used in the attacks is based on the Supershell framework, designed for establishing reverse SSH shells.

External References

https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
https://otx.alienvault.com/pulse/6939bd82d7768abb3cf0a04a
Tags
vulnerability
zero-day
cloud security
supershell
rce
CVE-2024-55947
2025-12-10
CVE-2025-8110
git service
gogs
symlink bypass

Date

  • Created: Dec. 10, 2025, 6:35 p.m.
  • Published: Dec. 10, 2025, 6:35 p.m.
  • Modified: Dec. 21, 2025, 6:57 p.m.

Attack Patterns

  • Supershell

Linked vulnerabilities

CVE-2023-46747

None
Published:

CVE-2024-54148

9.8
    Gogs
Published: December 23, 2024

CVE-2024-55947

None
    Gogs
Published: December 23, 2024

CVE-2024-56731

10.0
    Gogs
  • Gogs
Published: June 24, 2025

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025

CVE-2025-8110

8.7
    gogs
Published: December 10, 2025