All A-Gogs
Last week I reported on three critical path traversal vulnerabilities, and today another one has been added to the list: CVE-2025-8110. It is affecting Gogs internet facing servers with a path traversal weakness in the PutContents API that allows authenticated attackers to bypass protections implemented for a previously patched Remote Command Execution bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links, according to Bleeping Computer.
Now, to put that in plain English. Gogs is an alternative to GitLab, written in the programming language Go. It is often described as a ‘painless’ self hosted Git service, used for setting up code repositories for program development. Symbolic links are a type of file that connect directories in Windows and Linux systems, like a shortcut. This vulnerability allows outside actors to access these links remotely and overwrite their commands, essentially creating a backdoor into a compromised system, many of whom fall into the category of Federal Civilian Executive Branch (FCEB) agencies. These are the non-military branches like the Departments of Energy, Justice, Homeland Security or State.
CVE-2025-8110 has a fairly high severity rating of 8.7, with reported zero day exploitation in the wild. CISA is advising that those departments using Gogs should apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Go is an open source programming language, designed to have a simplistic syntax like C, and was developed by Google in 2007. While open source coding languages are great on paper, the downside is their ease of use leads to ease of exploitation. That same facility for being user friendly at the developer end means it’s user friendly for threat actors too. And something as simple as failing to cover the parameters of who has access leads to vulnerabilities such as these. Among the mitigation fixes suggested for dealing with CVE-2025-8110 is merely disabling the default open-registration setting or limiting access with an allow list.
The pattern I’m seeing emerge so far this year is previously patched vulnerabilities having new loopholes develop in exploitable ways, especially in path traversal. Obfuscation and stealth are the norm for gaining entry to compromised systems these days, rather than brute force attacks, and hijacking legitimate functions like file moving are becoming more common. Data breaches are occurring before an enterprise even knows what’s happening, and usually without obvious signs of attack until it is too late. Because there is also an aspect of timeliness involved in mitigating these types of vulnerabilities. Wiz researchers discovered CVE-2025-8110 in July of last year, and reported it to the Gogs maintainers at that time. But Gogs didn’t acknowledge the issue until October. CISA posted their report confirming Wiz’s findings yesterday. And in the meantime, of 1400 Gogs servers observed by Wiz to be exposed, over 1200 remain that way. More than 700 of them show signs of vulnerability with a second wave of active exploitation being noted since November 1st.
For half a year this vulnerability has been out there waiting to be taken advantage of. The pace of cybercrime is accelerating, and we have got to start catching up to it. And I know big businesses with the single-minded pursuit of profits on their minds don’t want to hear this, but that is only going to happen by hiring enough people to do so. Cybersecurity is akin to a good mechanic or electrician; you get what you pay for.
Posted on LinkedIn, 1/13/26
