Gogs | Breaking Cybersecurity News | The Hacker News

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said . Rebasing is a Git action that's used to take a sequence of commits from one feature branch and replay them on top of another base branch to create a linear project history. While "git rebase" solves the same problem as "git merge" -- i.e., integrating changes from one branch into another -- the former rewrites the project history by creating new c...

A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the works. The company said it accidentally discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer's machine. "Improper symbolic link handling in the PutContents API in Gogs allows local execution of code," according to a description of the vulnerability in CVE.org. The cloud security company said CVE-2025-8110 is a bypass for a previously patched remote code execution flaw ( CVE-2024-55947 , CVSS score: 8.7) that allows an attacker to write a file to an arbitrary path on the server and gain SSH access to the server. CVE-2024-55947 was add...