Threat actors are abusing a zero-day bug in Gogs- a famous self-hosted Git service. The open source project hasn’t fixed it yet.
About the attack
Over 700 incidents have been impacted in these attacks. Wiz researchers described the bug as “accidental” and said the attack happened in July when they were analyzing malware on a compromised system. During the investigation, the experts “identified that the threat actor was leveraging a previously unknown flaw to compromise instances. They “responsibly disclosed this vulnerability to the maintainers.”
The team informed Gogs’ maintainers about the bug, who are now working on the fix.
The flaw is known as CVE-2025-8110. It is primarily a bypass of an earlier patched flaw (CVE-2024-55947) that lets authorized users overwrite external repository files. This leads to remote code execution (RCE).
About Gogs
Gogs is written in Go, it lets users host Git repositories on their cloud infrastructure or servers. It doesn’t use GitHub or other third parties.
Git and Gogs allow symbolic links that work as shortcuts to another file. They can also point to objects outside the repository. The Gogs API also allows file configuration outside the regular Git protocol. <
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: