Unpatched Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

by Justin Erickson

Wiz researchers have disclosed an unpatched zero-day in Gogs, a popular self-hosted Git service, that is being actively exploited as of December 1st, 2025 – and may have started as early as July. The flaw, CVE-2025-8110, is a symlink bypass of an earlier remote code execution bug (CVE-2024-55947) in the PutContents API and allows authenticated users to overwrite files outside a repository, which then allows remote code execution on the server. External scans identified roughly 1,400 internet-exposed Gogs instances, with 700+ showing signs of compromise. Many of these servers had “open registration” enabled (the default setting), letting anyone create an account and exploit the issue. A fix is still in development and has not yet been released. If you are vulnerable (have a Gogs server version <= 0.13.3 that is both exposed to the internet and has open-registration enabled), here’s what Wiz says to do:

1. Look for the creation of repositories with random 8-character names or unexpected usage of the PutContents API.
2. If your instance does not require open-registration, disable this immediately.
3. Limit internet exposure. Place self-hosted Git services behind a VPN or use an allow-list for IP addresses.