Gogs Path Traversal Vulnerability (CVE-2025-8110)
Detects exploitation attempts targeting CVE-2025-8110, a path traversal vulnerability (CWE-22) in Gogs self-hosted Git service. Attackers can craft malicious HTTP requests containing directory traversal sequences to read arbitrary files outside the intended web root, potentially exposing sensitive configuration files, SSH keys, or repository data. This vulnerability is listed in the CISA KEV catalog indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Gogs
- Product
- Gogs
Weakness (CWE)
Timeline
- Disclosed
- January 12, 2026
CVSS
What is CVE-2025-8110 Gogs Path Traversal Vulnerability (CVE-2025-8110)?
Gogs Path Traversal Vulnerability (CVE-2025-8110) (CVE-2025-8110) maps to the Initial Access and Credential Access and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Gogs Path Traversal Vulnerability (CVE-2025-8110), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics, Web Application Firewall logs. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor has_any ("nginx", "apache", "caddy", "haproxy")
| where RequestURL matches regex @"(\.\./|%2e%2e%2f|%2e%2e/|\.%2e/|%252e%252e|\.\.\\|%2e%2e%5c)"
| where RequestURL has_any ("/etc/passwd", "/etc/shadow", "app.ini", "id_rsa", ".ssh", "conf/app.ini")
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationHostName, RequestURL, RequestMethod, DeviceAction
),
(
W3CIISLog
| where csUriStem matches regex @"(\.\./|%2e%2e%2f|%2e%2e/|\.%2e/|%252e%252e)"
| where csUriStem has_any ("/etc/passwd", "/etc/shadow", "app.ini", "id_rsa", ".ssh")
| project TimeGenerated, cIP, csHost, csUriStem, csMethod, scStatus
),
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s matches regex @"(\.\./|%2e%2e%2f|%2e%2e/|\.%2e/|%252e%252e)"
| where requestUri_s has_any ("/etc/passwd", "app.ini", "id_rsa", ".ssh")
| project TimeGenerated, clientIP_s, host_s, requestUri_s, httpMethod_s, httpStatus_i
)
| summarize RequestCount=count(), UniqueURLs=dcount(RequestURL), EarliestEvent=min(TimeGenerated) by SourceIP, RequestURL
| where RequestCount >= 1
| extend Severity="High", AlertName="Gogs Path Traversal Attempt CVE-2025-8110"Detects HTTP requests containing path traversal sequences targeting Gogs server endpoints, focusing on attempts to access sensitive files like app.ini, /etc/passwd, or SSH keys via directory traversal patterns in the request URI.
Data Sources
Required Tables
False Positives
- Legitimate security scanners or vulnerability assessment tools performing authorized scans against Gogs instances
- Web application firewall testing or red team exercises with documented traversal payloads
- URL encoding used legitimately in repository names or file paths containing dots and slashes
- Automated dependency update bots that may construct unusual URL paths
Sigma rule & cross-platform mapping
The detection logic for Gogs Path Traversal Vulnerability (CVE-2025-8110) (CVE-2025-8110) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-8110
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Gogs Path Traversal - Read app.ini
Expected signal: HTTP GET requests to Gogs port (3000) with ../ and %2e%2e sequences in URI visible in access logs; 200 response with app.ini content if vulnerable, 400/403/404 if patched or WAF blocks
- Test 2Gogs Path Traversal - SSH Key Extraction
Expected signal: HTTP requests with mixed encoding traversal patterns (%2f for /) targeting .ssh and id_rsa paths; response codes and body sizes indicate exploitation success or failure
- Test 3Automated Gogs Traversal Scan with Multiple Encoding Variants
Expected signal: Burst of HTTP requests from single source IP within seconds, each containing different encoding variants of traversal sequences; some requests may return 200 with file content if instance is vulnerable
Unlock Pro Content
Get the full detection package for CVE-2025-8110 including response playbook, investigation guide, and atomic red team tests.