CVE-2025-8110

What is Gogs?

Gogs is a lightweight, self-hosted Git service written in Go — a popular alternative to Gitea, GitLab, and GitHub Enterprise for organizations that want a simple, fast, and low-resource Git hosting solution. Gogs provides a web interface for repository management including file browsing and editing. It is widely deployed by developers, small organizations, and enterprises as internal source code management infrastructure.

Because Gogs hosts source code repositories, a compromise of a Gogs instance can expose all hosted source code, secrets embedded in code, CI/CD configurations, and deployment credentials — making it a high-value target.

Overview

CVE-2025-8110 is a path traversal vulnerability (CWE-22) in Gogs' repository web editor — specifically, the PutContents API used to create and edit files in repositories via the web interface. The original code only checked whether the final target file path was a symlink, but did not validate whether any parent directory in the path hierarchy contained a symlink pointing outside the repository. An authenticated user with repository write access can create a symlink in a parent directory pointing to an arbitrary filesystem location, then use the file editor to read or write to that location — escaping the repository sandbox to access the host filesystem. Wiz Research discovered the vulnerability.

Affected Versions

Technical Details

The path traversal (CWE-22) is in Gogs' PutContents API, which handles file creation and editing operations in the repository web editor. The original path validation code checked os.Lstat(path) on the final file path to detect symlinks, but did not walk each parent directory component to detect intermediate symlinks.

Exploitation sequence:

1. Attacker (any repository contributor) creates a repository in Gogs
2. Uses Gogs' web interface or Git client to create a symbolic link in a repository directory pointing to an attacker-chosen host path (e.g., link -> /etc)
3. Uses the Gogs web editor's file edit feature to access files via the symlink path (link/passwd → /etc/passwd)
4. Can read sensitive files (SSH keys, configuration files, other repository secrets) or overwrite files accessible to the Gogs service account

The fix introduces a hasSymlinkInPath() function that walks every component of the path using os.Lstat() before allowing the file operation, rejecting any path component that is a symlink.

Service account impact: Gogs typically runs as a dedicated git user on Linux systems. That account can read/write all Gogs repository data and may have access to configuration files, SSH keys used for repository operations, and other sensitive system resources accessible to the service user.

Discovery

Wiz Research discovered and reported the vulnerability to the Gogs maintainers.

Exploitation Context

CISA added CVE-2025-8110 to the KEV catalog on January 12, 2026, confirming active exploitation in the wild. Git server compromise is particularly valuable to attackers who want to access source code secrets, steal code signing keys, or inject malicious code into the software supply chain.

Remediation

1. Upgrade Gogs to 0.14.0 immediately. The CISA deadline was February 2, 2026.
2. Restrict repository creation access — limit who can create repositories in your Gogs instance; unauthenticated repository creation should always be disabled.
3. Review repository contents for unexpected symbolic links — check all repositories for lrwxrwxrwx entries (symlinks) pointing to paths outside the repository tree.
4. Audit Gogs service account access — review what files and paths the git service account can access, and minimize unnecessary filesystem permissions.
5. Rotate secrets stored in or accessible from repositories — SSH deploy keys, embedded credentials, and API tokens in .env or configuration files hosted on the Gogs server should be considered potentially compromised.