Over 700 self-hosted Gogs instances have been compromised in zero-day attacks, with no fix in sight. Attackers are actively exploiting a previously unknown flaw in Gogs, a popular self-hosted Git service, which has not yet been patched. The vulnerability, tracked as CVE-2025-8110, allows authenticated users to overwrite files outside the repository, leading to remote code execution (RCE). This bug is a bypass of a previously patched bug (CVE-2024-55947) that was discovered by Manasseh Zhou. The earlier fix didn't account for symbolic links, which can point to objects outside the repository and allow file modification outside the regular Git protocol. The attack involves four steps, all of which are 'trivial for any user with repository creation permissions', which are enabled by default. The attackers create a standard Git repository, commit a symbolic link pointing to a sensitive target, write data to the symlink using the PutContents API, and then overwrite .git/config to execute arbitrary commands. Approximately 1,400 Gogs instances are exposed to the internet, and over 700 of them have been infected, showing an 8-character random owner/repo name created on July 10 and using the Supershell remote command-and-control framework. The threat hunters haven't attributed the attacks to a specific group, but they suspect the attackers are located in Asia due to the use of Supershell C2. This vulnerability has been responsibly disclosed to the Gogs maintainers, who are currently working on a fix, but active exploitation continues. The Register recommends disabling open-registration and limiting internet exposure by placing self-hosted Git services behind a VPN. Users should also be vigilant for newly created repositories with random 8-character names or unexpected usage of the PutContents API.
