Security researchers have uncovered a devastating zero-day vulnerability in Gogs, the lightweight self-hosted Git service, that has already compromised over 700 internet-facing servers. The flaw, tracked as CVE-2025-8110, exploits a path-traversal weakness in the platform’s PutContents API, enabling attackers to achieve full remote code execution without authentication on servers with default configurations. The breach highlights the growing risks facing crypto projects and exchanges that rely on self-hosted infrastructure for source code management and deployment pipelines.
The Exploit Mechanics
The vulnerability stems from a symlink-based path-traversal issue in Gogs’ PutContents API endpoint. While newer versions of Gogs validate file path names during uploads, they fail to inspect the destination of symbolic links. An attacker can create a repository containing a symlink that points to sensitive system files, then use the PutContents API to write through that symlink, overwriting critical files outside the repository boundary.
Once an attacker overwrites the .git/config file, specifically the sshCommand field, they can trigger execution of arbitrary commands on the server. The entire attack chain requires only that the attacker has permission to create repositories, a feature enabled by default in most Gogs installations with open registration.
Wiz researchers discovered the flaw while investigating a malware infection on a customer workload. Their external scan identified over 1,400 Gogs servers publicly exposed to the internet. Of these, more than 700 showed confirmed signs of compromise, representing an alarming 50 percent infection rate among exposed instances.
Affected Systems
All compromised Gogs instances displayed a consistent pattern: randomly generated 8-character owner and repository names created within a short window on July 10, 2025. This uniformity points to a single threat actor or organized group using automated exploitation tools at scale.
The attackers deployed malware built with Supershell, an open-source command-and-control framework that creates reverse SSH shells via web services. Infected systems communicated with a C2 server located at 119.45.176[.]196, establishing persistent backdoor access across hundreds of servers worldwide.
For cryptocurrency platforms, the implications are particularly concerning. Many blockchain projects and exchanges maintain private code repositories on self-hosted Git instances to protect proprietary trading algorithms, smart contract code, and security configurations. A compromised Git server could expose deployment keys, enable supply chain attacks on production systems, or leak sensitive infrastructure details to attackers.
The Mitigation Strategy
Wiz reported the Gogs zero-day to maintainers on July 17, 2025, but the project acknowledged the issue only on October 30. As of December 11, the vulnerability remains unpatched in the official release, leaving administrators to implement their own defensive measures.
Immediate mitigation steps include disabling open registration on all Gogs instances to prevent unauthorized users from creating repositories. Administrators should restrict server access through VPN connections or IP allow lists, effectively removing the attack surface from the public internet. Additionally, all Gogs deployments should be audited for signs of compromise, specifically reviewing the PutContents API logs for suspicious activity and scanning for repositories with random 8-character names.
Organizations running crypto infrastructure should also consider migrating to actively maintained Git hosting alternatives that receive timely security patches. The recurring pattern of symlink-handling vulnerabilities in Gogs suggests deeper architectural issues that may produce additional exploitable flaws in the future.
Lessons Learned
The Gogs incident underscores a fundamental truth in both traditional and cryptocurrency security: self-hosted infrastructure carries a hidden maintenance burden that many organizations underestimate. While self-hosting provides control over data and avoids third-party platform dependencies, it also transfers the full responsibility for security patching to the deploying organization.
With Bitcoin trading around $92,500 and the broader crypto market capitalization exceeding $3.4 trillion as of December 11, the financial incentives for attackers targeting crypto-adjacent infrastructure have never been higher. A single compromised deployment pipeline could expose millions in digital assets or enable sophisticated supply chain attacks against downstream users.
User Action Required
Any organization running a Gogs instance should immediately audit their deployment for signs of compromise. Check repository lists for suspicious entries with randomly generated names, review API access logs for unusual PutContents calls, and verify that no unauthorized SSH keys have been added to system accounts. If compromise is detected, rotate all credentials, rebuild the server from a clean image, and migrate to an alternative platform with an active security response process. The crypto industry’s security posture depends on securing every layer of the development and deployment stack, and self-hosted Git services represent a critical but often overlooked component.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding your specific infrastructure requirements.
random 8-character repo names created in the same window on July 10. these werent opportunistic attacks, this was coordinated
the coordinated repo creation on July 10 with random 8-char names means these werent opportunistic. someone was specifically hunting crypto project deploy keys
This is exactly why I’ve been telling my team that self-hosting isn’t just ‘set it and forget it’ for infrastructure. Gogs is great for lightweight projects, but a zero-day hitting 700 servers shows how real the supply chain risk is for crypto teams. We need to start prioritizing multi-sig deployments and aggressive CI/CD hardening immediately.
DevOps Dan the 50% infection rate among exposed instances is insane. most teams dont even know their Gogs instance is public
symlink_zero 50% infection rate means most teams never even checked if their instance was exposed. security hygiene in crypto projects is abysmal
symlink_zero 50% infection rate on exposed servers means hundreds of dev pipelines were compromised silently. anyone running gogs should assume their deploy keys are burned
DevOps Dan the scary part is gogs is just one tool. how many teams are running unpatched gitlab CE or forgejo instances with the same exposure. supply chain attacks via dev infrastructure are the next big vector
700 compromised servers and 50% infection rate among exposed instances. crypto teams running self-hosted git with default configs is a ticking bomb
Honestly, this is still better than centralizing every piece of code on GitHub if you ask me. At least with self-hosted instances, we have the actual power to patch and control our own data without vendor lock-in. These exploits are definitely a wake-up call for better network monitoring, but I’m not moving back to big tech providers anytime soon.
Sarah self-hosting is fine if you actually maintain it. most of these compromised servers hadnt been updated in 2+ years
Man, security in the crypto space is a grueling full-time job. 700 servers is a massive amount of potential exposure, especially if developers were keeping sensitive configs or private keys in their repos. It really makes you wonder how many ‘decentralized’ projects are actually running on vulnerable, unpatched infrastructure. Checking my favorite projects’ security audits now!
a symlink in a repo overwriting .git/config to get RCE via sshCommand. elegant attack honestly. CVE-2025-8110 should be a wake up call for every team self-hosting git
overwriting .git/config via symlink to get RCE through sshCommand is genuinely clever. CVE-2025-8110 should be required reading for every devops team