CVE-2025-64111: The Gogs Symlink Shimmy to RCE
Vulnerability ID: CVE-2025-64111
CVSS Score: 9.3
Published: 2026-02-06
A critical Remote Command Execution (RCE) vulnerability in Gogs allows attackers to bypass directory restrictions via symbolic links. By tricking the API into writing to a symlink pointing at .git/config, an attacker can inject malicious Git configurations and execute arbitrary commands on the server.
TL;DR
Gogs failed to recursively validate symbolic links in its file update API. Attackers can push a symlink to a repo, use the API to write through that link into .git/config, and achieve RCE via the core.sshCommand vector.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-59 (Link Resolution)
- Attack Vector: Network (API)
- CVSS Score: 9.3 (Critical)
- Impact: Remote Command Execution (RCE)
- Exploit Status: PoC Available
- Vector: Symlink Path Traversal
Affected Systems
- Gogs (Go Git Service) <= 0.13.3
-
Gogs: <= 0.13.3 (Fixed in:
0.13.4)
Code Analysis
Commit: c3eca1f
Prevent symlink path traversal in file updates
+ func hasSymlinkInPath(base, relPath string) bool { ... }
Commit: 9e70cdf
Enforce RepoWriter middleware on content API
m.Group("/contents", func() { ... }, reqRepoWriter())
Exploit Details
- GitHub Advisory: Official advisory containing attack vector details
Mitigation Strategies
- Input Validation
- Path Canonicalization
- Defense in Depth
Remediation Steps:
- Upgrade Gogs to version 0.13.4 or 0.14.0+dev immediately.
- Scan all repository
.git/configfiles on the server forcore.sshCommandorcore.editorentries. - Restrict API access if patching is not immediately possible.
References
Read the full report for CVE-2025-64111 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)