U.S. CISA adds a flaw in Gogs to its Known Exploited Vulnerabilities catalog
U.S. CISA adds a flaw in Gogs to its Known Exploited Vulnerabilities catalog
Publish Date: 2026-01-12 16:55:54
Source Domain: securityaffairs.com
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Gogs path traversal vulnerability (CVE-2025-8110) to its Known Exploited Vulnerabilities (KEV) catalog due to its high CVSS score of 8.7. This vulnerability, which stems from improper symbolic link handling in Gogs’ PutContents API, allows for unauthorized local code execution. Discovered by Wiz Research, it revealed significant risks as the flaw can bypass a previously addressed remote code execution vulnerability (CVE-2024-55947) involving similar issues with path validation and symlink handling. CISA is urging both federal agencies and private organizations to address this flaw promptly to mitigate risks. According to the Binding Operational Directive (BOD) 22-01, all federal agencies must provide a fix by February 2, 2026, as it poses an imminent threat to the secure operation of critical infrastructure.
Key Points:
– CISA adds Gogs path traversal vulnerability CVE-2025-8110 to its Known Exploited Vulnerabilities catalog.
– Vulnerability allows local code execution through improper symlink handling.
– Found during an investigation linked to malware infection revealing over 1,400 exposed vulnerable Gogs instances.
– CISA mandates federal agencies to fix the issue by February 2, 2026.
– Private firms are also encouraged to examine and secure their systems against this critical vulnerability.
