Over 700 self-hosted Gogs instances have been compromised in zero-day attacks, with no immediate fix available. Attackers are exploiting a previously unknown flaw in Gogs, a popular self-hosted Git service, which was responsibly disclosed to the maintainers. The vulnerability, tracked as CVE-2025-8110, allows authenticated users to overwrite files outside the repository, leading to remote code execution (RCE). This bug is a bypass of a previously patched issue (CVE-2024-55947) and affects Gogs servers running version 0.13.3 or earlier with open-registration enabled. The fix for the earlier RCE didn't account for symbolic links, enabling attackers to execute malicious code in four steps, which are easily achievable for users with default repository creation permissions. The attacks have been attributed to a potential Asian-based group using the Supershell remote command-and-control framework, and the intruders' activities with access to vulnerable instances remain unclear. To mitigate the risk, Wiz recommends disabling open-registration and limiting internet exposure by placing self-hosted Git services behind a VPN. Users should also monitor for newly created repositories with random 8-character names or unusual API usage. The full list of indicators of compromise is available for reference.
