Act now! Attackers have been targeting Gogs servers for months

Admins who self-host Git service servers with Gogs should immediately protect the software from attacks using a workaround. A security update is not yet available. Attackers have been exploiting the malicious code security vulnerability since July of last year.

Vulnerable servers also exist in this country. Now the US security authority CISA has become involved and confirmed the attacks.

Background

As can be seen from a post by Wiz security researchers from December of last year, they already observed the first attacks in July 2025. According to them, there was a second wave of attacks in November. In December, they spoke of more than 1400 publicly accessible instances worldwide. Of these, more than 700 are said to have already been attacked via the vulnerability (CVE-2025-8110 “high”).

The extent to which the attacks are taking place and when a security update will be released is currently unclear. In their post, the researchers explain which parameters admins can use to identify already attacked instances. These include, for example, the IP addresses of the payload servers.

However, attacks are only possible for authenticated attackers. However, this is not too great a hurdle: By default, registration on Gogs servers is active. If this is the case and the instance is publicly accessible via the internet, attacks are possible.

Subsequently, attackers bypass the protection of an actually closed vulnerability (CVE-2024-55947) and overwrite files using a symlink attack to then execute malicious code. The security researchers explain in their post how this happens in detail.

Protect servers

It is currently unclear when a security patch will be released. To curb attacks, admins must disable registration and restrict access to Gogs servers via VPN to trusted IP addresses.

(des)