Gogs RCE: When 'Fixed' Just Means 'Try Harder' (CVE-2025-8110)
Jan 15, 2026·7 min read·4 visits
Executive Summary (TL;DR)
Gogs versions <= 0.13.3 contain a logic flaw in how they handle symbolic links during file updates. An authenticated attacker can push a symlink to a repository and then use the file update API to write data through that link, overwriting sensitive system files like `/etc/passwd`. This results in full Remote Code Execution. The vulnerability is actively exploited in the wild.
A critical remote code execution vulnerability in Gogs, a popular self-hosted Git service. An incomplete patch for a previous symlink vulnerability allowed attackers to bypass checks by nesting malicious paths, permitting arbitrary file overwrites on the host system via the repository API.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Gogs Gogs | <= 0.13.3 | 0.13.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network (Authenticated) |
| EPSS Score | 0.95% |
| Exploit Status | Active Exploitation (CISA KEV) |
| Patch Commit | 553707f3fd5f68f47f531cfcff56aa3ec294c6f6 |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.