CVE-2025-8110
HIGH CISA KEV EPSS 99.5%
Published Dec 10, 20256mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
Published Dec 10, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Jan 12, 2026 5mo ago
KEV Due Feb 2, 2026 148d overdue
Description
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
CISA Known Exploited Overdue 148d
- Added
- Jan 12, 2026
- Due
- Feb 2, 2026
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EPSS Exploit Probability
99.5% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| gogs | gogs | * | ≤0.13.3 |
References 9
- wiz.io http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
- openwall.com http://www.openwall.com/lists/oss-security/2025/12/11/3
- openwall.com http://www.openwall.com/lists/oss-security/2025/12/11/4
- openwall.com http://www.openwall.com/lists/oss-security/2026/01/17/4
- openwall.com http://www.openwall.com/lists/oss-security/2026/01/18/1
- openwall.com http://www.openwall.com/lists/oss-security/2026/01/18/2
- github.com https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6
- github.com https://github.com/gogs/gogs/pull/8078
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110
Remediation
- github.com https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6
- github.com https://github.com/gogs/gogs/pull/8078