CVE-2025-8110 Overview
CVE-2025-8110 is a symlink attack vulnerability affecting Gogs, the popular self-hosted Git service. Improper symbolic link handling in the PutContents API allows authenticated attackers to achieve local code execution on affected servers. This vulnerability exploits path traversal weaknesses (CWE-22) through symlink manipulation in the repository file update mechanism.
The vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating significant real-world threat activity targeting Gogs installations.
Critical Impact
Authenticated attackers can leverage improper symlink handling in the PutContents API to escape repository boundaries and execute arbitrary code on the underlying server, potentially compromising the entire Gogs instance and any connected systems.
Affected Products
- Gogs (all versions prior to the security patch)
- Self-hosted Gogs instances with user write access enabled
- Gogs deployments accessible over network
Discovery Timeline
- December 10, 2025 - CVE-2025-8110 published to NVD
- January 20, 2026 - Last updated in NVD database
Technical Details for CVE-2025-8110
Vulnerability Analysis
This vulnerability stems from insufficient validation of file paths in the PutContents API when processing symbolic links. The Gogs repository management functionality fails to properly validate path hierarchies that contain symlinks, allowing attackers to bypass directory restrictions and write content to arbitrary locations outside the intended repository boundaries.
The core issue lies in how Gogs processes file update operations—specifically, the IsFile() function follows symlinks without validating whether the resulting path remains within the repository's allowed directory structure. An attacker with repository write access can craft a malicious commit containing symbolic links that point to sensitive locations on the server filesystem.
When the PutContents API is subsequently invoked to update files through these symlinks, the content is written to the symlink target rather than the repository itself, enabling arbitrary file write capabilities that can be escalated to code execution.
Root Cause
The root cause is the improper handling of symbolic links during file operations in the internal/osutil/osutil.go module. The original IsFile() function followed symlinks via os.Stat() without checking whether the resolved path was still within the repository boundaries. This allowed path hierarchies containing symlinks to bypass directory traversal protections designed to contain file operations within repository directories.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to a Gogs repository. An attacker can exploit this vulnerability through the following sequence:
- Create or obtain write access to a repository on the target Gogs instance
- Craft a commit containing a symbolic link pointing outside the repository directory (e.g., to /var/gogs/data/ or other sensitive paths)
- Push the malicious commit to the repository
- Use the PutContents API to write content through the symlink
- The content is written to the symlink target, allowing arbitrary file creation/modification
- Escalate to code execution by overwriting configuration files, templates, or other executable content
// Security patch in internal/osutil/osutil.go
// Source: https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6
"os/user"
)
-// IsFile returns true if given path exists as a file (i.e. not a directory).
+// IsFile returns true if given path exists as a file (i.e. not a directory)
+// following any symlinks.
func IsFile(path string) bool {
f, e := os.Stat(path)
if e != nil {
The patch addresses this by rejecting any updates where the path hierarchy contains symbolic links, ensuring file operations remain confined to legitimate repository directories.
Detection Methods for CVE-2025-8110
Indicators of Compromise
- Unexpected symbolic links within repository directories pointing to locations outside the repository root
- File modification timestamps on system files that correlate with Gogs API activity
- Repository commits containing symlinks with absolute paths or ../ traversal patterns
- Anomalous file writes to Gogs configuration directories or template locations
Detection Strategies
- Monitor Git repository contents for symbolic links pointing outside repository boundaries during push operations
- Implement file integrity monitoring (FIM) on Gogs installation directories and configuration files
- Analyze Gogs API logs for PutContents operations following symlink creation
- Deploy endpoint detection to identify file write operations from the Gogs process to unexpected filesystem locations
- Review repository commit history for suspicious symlink additions
Monitoring Recommendations
- Enable verbose logging for the Gogs PutContents API and monitor for path traversal patterns
- Configure alerts for symbolic link creation within repositories that reference system paths
- Implement real-time monitoring of critical Gogs files including app.ini, templates, and hook scripts
- Use SentinelOne Singularity to detect anomalous process behavior from the Gogs service
How to Mitigate CVE-2025-8110
Immediate Actions Required
- Apply the security patch from GitHub Gogs Pull Request #8078 immediately
- Review all repositories for existing symbolic links that may point outside repository boundaries
- Restrict repository creation and write access to trusted users only
- Consider temporarily disabling the PutContents API if patching is delayed
- Audit recent repository activity for potential exploitation attempts
Patch Information
The vulnerability has been addressed in commit 553707f. The fix implements validation to reject any file updates where the path hierarchy contains symbolic links. Organizations should upgrade to the patched version of Gogs as soon as possible.
Additional details are available in the GitHub Gogs Pull Request #8078 and the Wiz Blog RCE Exploit Analysis.
Workarounds
- Disable or restrict access to the PutContents API endpoint until the patch can be applied
- Configure repository hooks to scan for and reject commits containing symbolic links
- Run Gogs in a containerized environment with restricted filesystem access and read-only mounts where possible
- Implement network segmentation to limit the impact of potential code execution
# Configuration example: Restrict Gogs process filesystem access using systemd
# Add to /etc/systemd/system/gogs.service.d/security.conf
[Service]
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/gogs/data /var/gogs/repositories
NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
