Git server flaw that attackers have been abusing for months has now caught the attention of US cyber cops

CISA has ordered federal agencies to stop using Gogs or lock it down immediately after a high-severity vulnerability in the self-hosted Git service was added to its Known Exploited Vulnerabilities (KEV) catalog.

The US cybersecurity agency added the path traversal flaw to the KEV list on Monday, triggering urgent remediation requirements for federal civilian executive branch (FCEB) agencies. CISA's advisory warns that the vulnerability is being weaponized in attacks, and that agencies should apply mitigations or simply stop using the product if workarounds aren't available.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA said in its alert.

The vulnerability, tracked as CVE-2025-8110, was first brought to light by Wiz security researchers in December who stumbled on the unpatched flaw in July while investigating malware on an infected machine.

The bug allows authenticated users to ...