CVE-2025-8110

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.0 with PutContents API enabled.

Description Gogs contains a path traversal vulnerability in the PutContents API, allowing authenticated attackers to overwrite files outside the repository and achieve remote code execution (RCE). This vulnerability bypasses a prior RCE fix due to improper symbolic link handling. Over 700 instances have been compromised, and active exploitation is ongoing. The vulnerability is tracked as CVE-2025-8110 and has a CVSS score of 8.7. Attackers can leverage symlinks to write arbitrary files with the permissions of the Gogs process, potentially leading to credential theft, supply chain attacks, and system takeover.

Recommendations Disable the PutContents API or block PUT requests to /api/v1/repos//contents/. Monitor for unusual PUT requests, symlink creation in repositories, and unexpected file writes by the Gogs process. Restrict internet exposure using VPNs or IP allow-lists. Isolate affected systems. Upgrade to Gogs 0.13.0 or later when available.