CISA has ordered federal agencies to stop using Gogs or lock it down immediately after a high-severity vulnerability in the self-hosted Git service was added to its Known Exploited Vulnerabilities (KEV) catalog.
The US cybersecurity agency added the path traversal flaw to the KEV list on Monday, triggering urgent remediation requirements for federal civilian executive branch (FCEB) agencies. CISA’s advisory warns that the vulnerability is being weaponized in attacks, and that agencies should apply mitigations or simply stop using the product if workarounds aren’t available.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in its alert.
The vulnerability, tracked as CVE-2025-8110, was first brought to light by Wiz security researchers in December who stumbled on the unpatched flaw in July while investigating malware on an infected machine.
The bug allows authenticated users to bypass protections and overwrite arbitrary files on the host system, effectively granting remote code execution. More than 700 internet-exposed Gogs instances were already confirmed compromised in ongoing attacks at the time of disclosure, with upwards of 1,400 servers found reachable online.
Gogs, which is written in Go and allows users to host Git repositories on their own servers or cloud infrastructure, has yet to ship a fix for the flaw, leaving users scrambling for stopgaps such as disabling open registration and shielding instances behind VPNs. Wiz described the vulnerability as a bypass of a prior fix and easy to exploit with default settings enabled, noting: “Unfortunately, the fix implemented for the previous CVE did not account for symbolic links.”
Gogs, like Git itself, allows symbolic links – or symlinks – that act as pointers to other files or directories, including locations outside a repository’s working tree. Wiz said the previous attempt to close the hole failed to account for that combination, leaving a gap that attackers could slip through.
While the threat hunters haven’t attributed the attacks to a particular person or group, “our assumption, based on threat actors using Supershell C2, is they are located in Asia,” Wiz researcher Yaara Shriki told The Register.
For everyone else running Gogs outside the federal bubble, the takeaway is the same: if Gogs is exposed, it’s vulnerable, and there’s still no fix to make that go away. ®