Imagine waking up to the news that over 700 self-hosted Git instances have been ruthlessly exploited, and there’s no immediate fix in sight. This is the chilling reality for users of Gogs, a popular self-hosted Git service, as attackers leverage a newly discovered zero-day vulnerability to wreak havoc. But here’s where it gets even more alarming: this isn’t just a theoretical threat—it’s actively happening right now, and the open-source community is scrambling to respond.
Researchers from Wiz stumbled upon this zero-day vulnerability in July while investigating malware on an infected machine. They describe the discovery as purely accidental, but the implications are anything but. More than 700 Gogs instances have already been compromised, and the number could rise as attackers continue to exploit this flaw. Security experts Gili Tikochinski and Yaara Shriki revealed in a recent blog post (https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit) that the vulnerability, tracked as CVE-2025-8110, allows authenticated users to overwrite files outside the repository, leading to remote code execution (RCE).
And this is the part most people miss: the vulnerability is essentially a bypass of a previously patched bug (CVE-2024-55947), which was initially discovered by Manasseh Zhou (https://github.com/advisories/GHSA-qf5v-rp47-55gg). The fix for that earlier issue failed to account for symbolic links, leaving the door wide open for attackers. Gogs, written in Go, allows users to host Git repositories on their own servers or cloud infrastructure, offering an alternative to platforms like GitHub. However, its support for symbolic links—which act as shortcuts to files or directories outside the repository—has become its Achilles’ heel.
Here’s how the attack works, broken down into four deceptively simple steps:
1. The attacker creates a standard Git repository.
2. They commit a symbolic link pointing to a sensitive target file.
3. Using the PutContents API, they write data to the symlink, which the system follows to overwrite the target file outside the repository.
4. By overwriting the .git/config file (specifically the sshCommand), the attacker forces the system to execute arbitrary commands.
What’s particularly concerning is how accessible this exploit is. According to Wiz, these steps are “trivial for any user with repository creation permissions,” which are enabled by default. Out of approximately 1,400 Gogs instances exposed to the internet, over 700 have already been infected. These compromised instances share a common signature: an 8-character random owner/repo name created on July 10 and a payload using the Supershell remote command-and-control framework.
While the attackers haven’t been definitively identified, Shriki told The Register that their use of Supershell C2 suggests they may be based in Asia. This isn’t the first time Supershell has been linked to malicious activity—Mandiant, now owned by Google (as Wiz will be soon: https://www.theregister.com/2025/11/05/googles32bwizacquisitionits/), documented Chinese spies exploiting a critical F5 bug via Supershell last year to sell access to compromised U.S. defense organizations and UK government agencies (https://www.theregister.com/2024/03/22/chinaf5connectwise_unc5174/).
But here’s the controversial question: Are self-hosted solutions like Gogs inherently riskier than third-party platforms like GitHub? While self-hosting offers greater control, it also places the burden of security squarely on the user. And when vulnerabilities like CVE-2025-8110 emerge, the lack of immediate fixes can leave users dangerously exposed. What’s your take? Let us know in the comments.
For now, the Gogs maintainers are working on a patch, but active exploitation continues. Wiz recommends immediate mitigation steps: disable open-registration if it’s not required, and limit internet exposure by placing self-hosted Git services behind a VPN. Additionally, keep an eye out for newly created repositories with random 8-character names or unusual usage of the PutContents API. The researchers have also published a full list of indicators of compromise, which is a must-read for anyone running a Gogs instance.
As we await a fix, one thing is clear: the line between convenience and security is blurrier than ever. How will you balance the two? The choice—and the consequences—are yours.
