# Gogs 文件更新API 文件覆盖漏洞
## 概述
Gogs 的 `PutContents` API 中存在符号链接处理不当的问题,可能导致本地代码执行。
## 影响版本
该漏洞影响 Gogs 的某些版本(具体受影响版本未明确列出,需进一步确认)。
## 细节
`PutContents` API 在处理文件内容写入时,未正确校验符号链接的目标路径,攻击者可通过构造恶意请求,诱使服务器将内容写入任意可访问的文件路径,从而导致任意文件被修改或覆盖。
## 影响
攻击者可利用该漏洞在目标系统上实现本地代码执行,获取服务器控制权限。
是否为 Web 类漏洞: 未知
判断理由:
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Detection template for CVE-2025-8110 | https://github.com/rxerium/CVE-2025-8110 | POC详情 |
| 2 | CVE-2025-8110 | https://github.com/Ashwesker/Blackash-CVE-2025-8110 | POC详情 |
| 3 | CVE-2025-8110 PoC | https://github.com/zAbuQasem/gogs-CVE-2025-8110 | POC详情 |
| 4 | 验证 Gogs 版本 0.13.2 是否存在 **CVE-2025-8110 (符号链接文件覆盖)** 漏洞。 | https://github.com/111ddea/goga-cve-2025-8110 | POC详情 |
| 5 | None | https://github.com/tovd-go/CVE-2025-8110 | POC详情 |
| 6 | CVE-2025-8110 | https://github.com/Ashwesker/Ashwesker-CVE-2025-8110 | POC详情 |
| 7 | 🔍 Detect improper symbolic link handling in Gogs' PutContents API, exposing local code execution risks for versions 0.13.3 and earlier. | https://github.com/freiwi/CVE-2025-8110 | POC详情 |
| 8 | Gogs self-hosted Git service versions 0.13.3 and earlier contain a critical symlink bypass vulnerability that circumvents the fix for CVE-2024-55947. Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution. As of December 2025, this remains an unpatched zero-day with active exploitation ongoing. Approximately 1,400 exposed Gogs instances exist, with over 700 showing signs of compromise. The vulnerability stems from the API writing to file paths without checking if targets are symlinks pointing outside the repository. Gogs maintainers are working on a fix. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-8110.yaml | POC详情 |
暂无评论