Critical Gogs Vulnerability (CVE-2025-8110) Actively Exploited in the Wild The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about CVE-2025-8110, a high-severity flaw in Gogs, the self-hosted Git service, now under active exploitation. The vulnerability, rated 8.7 (CVSS v4.0), has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming real-world attacks. The flaw stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated users to overwrite files outside a repository and achieve remote code execution (RCE). Attackers exploit this by committing a symbolic link to a repository and then writing to it via the API, enabling them to modify critical files such as Git’s sshCommand configuration to execute arbitrary code. Discovery & Exploitation Timeline Researchers at Wiz uncovered the vulnerability while investigating a malware infection in a customer’s system. Their analysis revealed that attackers had been abusing the flaw as a zero-day, bypassing protections introduced for a similar issue (CVE-2024-55947) in 2024. Since July 2025, multiple waves of attacks have been observed, with threat actors deploying malware linked to the Supershell command-and-control (C2) framework. Scope of Exposure Wiz identified over 700 compromised Gogs instances, while Censys data indicates 1,602 publicly exposed Gogs servers, primarily in China, the U.S., and Germany. The vulnerability affects Gogs versions up to 0.13.3, with no official patch currently available. However, code fixes have been submitted to the project’s main branch, and updated releases are expected soon. Mitigation & Response CISA has mandated Federal Civilian Executive Branch agencies to apply mitigations by February 2, 2026. Until a patch is released, organizations are advised to: - Disable open registration if unnecessary. - Restrict access via VPN or IP allow-listing. - Monitor for suspicious activity, including repositories with random eight-character names or unusual API usage. With exploitation ongoing, exposed Gogs instances remain at high risk. Administrators are urged to treat the threat as immediate and implement defensive measures.

AWS CodeBuild Misconfiguration Could Have Enabled Supply Chain Attacks In September 2025, Amazon Web Services (AWS) patched a critical misconfiguration in its AWS CodeBuild service that could have allowed attackers to take over the company’s own GitHub repositories including the AWS JavaScript SDK (aws-sdk-js-v3) potentially compromising millions of AWS environments. The vulnerability, dubbed CodeBreach by cloud security firm Wiz, was disclosed responsibly on August 25, 2025, and stemmed from a flaw in CI pipeline webhook filters. The issue centered on insecure regular expression (regex) patterns in CodeBuild’s webhook filters, which were designed to restrict build triggers to approved GitHub user IDs (ACTOR_ID). However, the filters lacked start (^) and end ($) anchors, allowing any user ID containing an approved sequence (e.g., 755743) to bypass restrictions. Since GitHub assigns numeric IDs sequentially, Wiz researchers exploited this by generating bot accounts with predictable IDs (e.g., 226755743) to match trusted maintainers’ IDs. Once an attacker triggered a build, they could leak GitHub admin tokens including a Personal Access Token (PAT) for the aws-sdk-js-automation user granting full repository control. This access could have enabled malicious code injection, pull request approvals, and secrets exfiltration, paving the way for supply chain attacks affecting AWS services and dependent applications. The misconfiguration impacted four AWS-managed repositories: - aws-sdk-js-v3 (JavaScript SDK) - aws-lc (cryptographic library) - amazon-corretto-crypto-provider - awslabs/open-data-registry AWS confirmed the flaw was project-specific and not a systemic CodeBuild issue. While no exploitation was detected, the company implemented credential rotations, enhanced build process protections, and stricter regex validation to prevent recurrence. The incident underscores the high-risk nature of CI/CD pipelines, where minor misconfigurations can lead to large-scale breaches. Similar vulnerabilities in GitHub Actions workflows such as pull_request_target misconfigurations have previously exposed projects from Google, Microsoft, and NVIDIA to remote code execution (RCE) and secrets theft. Security researchers emphasize that untrusted code should never trigger privileged pipelines without proper validation.