The flaw, identified as CVE-2025-8110 with a CVSS score of 8.7, affects Gogs, a self-hosted Git service built on Go. This security hole is specifically a case of file overwrite within the file update API. A remedy for this problem is reportedly under development. The zero-day vulnerability was unexpectedly uncovered by Wiz in July 2025 while the cloud security company was investigating a malware infection on one of their customer’s machines.
According to a description on CVE.org, the vulnerability stems from “Improper symbolic link handling in the PutContents API in Gogs,” which allows an attacker with local access to execute code. This particular flaw is considered a bypass for an earlier remote code execution vulnerability, CVE-2024-55947, which also had a CVSS score of 8.7. The bypass allows an attacker to write a file to an arbitrary path on the server and consequently obtain SSH access. CVE-2024-55947 was previously addressed by the developers in December 2024.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Wiz explained that the patch implemented by Gogs to resolve the previous flaw, CVE-2024-55947, could be circumvented. This is because Git, and therefore Gogs, permits the use of symbolic links within its repositories, and these symlinks can be set to point to files or directories outside the repository’s boundaries. Furthermore, the Gogs API allows for file modifications outside of the standard Git protocol’s safeguards.
This failure to properly account for symbolic links in the API allows an attacker to achieve arbitrary code execution through a sequence of four actions. The process begins with creating a standard git repository, followed by committing a single symbolic link within it that points to a sensitive target file outside the repository. The attacker then uses the PutContents API to write data to the symlink. This action causes the system to follow the link, resulting in the sensitive target file outside the repository being overwritten. The final step involves overwriting the “.git/config” file, specifically the sshCommand, to execute arbitrary commands on the server.
The malware observed in this exploitation activity is believed to be a payload derived from Supershell. Supershell is an open-source command-and-control framework often associated with Chinese hacking groups. The malware is designed to establish a reverse SSH shell connection to an attacker-controlled server, identified in this case as “119.45.176[.]196”.
Source: Unpatched Gogs Zero Day Exploited Across Hundreds Of Instances In Active Attacks
Excellent breakdown of the symlink bypass mecanism! What's particulary concerning is how the patch for CVE-2024-55947 didn't fully address the underlying issue with API-level symbolic link handling. This shows how fixing surface-level symptoms without addressing architectural weaknesses just kicks the can down the road, especially when the API bypases Git's native protections.