The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies address a critical vulnerability in Gogs, a self-hosted Git service, tracked as CVE-2025-8110. This flaw, stemming from a path traversal issue in the PutContents API, allows authenticated attackers to exploit symbolic links to overwrite files outside of designated repositories. This vulnerability has been linked to zero-day attacks, highlighting its urgency. CISA has set a deadline of February 2, 2026, for agencies to implement patches. Wiz Research discovered the vulnerability during a malware investigation on a customer's Gogs server and reported it to the maintainers on July 17. Three months later, on October 30, the maintainers acknowledged the report and released patches that added symlink-aware path validation. Attacks exploiting this flaw intensified, with a second wave noted on November 1. Wiz found over 1,400 Gogs servers exposed online, with about 700 showing signs of compromise. CISA warns that such vulnerabilities are common attack vectors for cybercriminals and pose significant risks. Agencies are urged to follow vendor instructions for mitigations, and if those are unavailable, to stop using the product. Gogs users are advised to disable open registration and limit server access through VPNs. Admins should check for unusual activity related to the PutContents API and monitor for repositories with random eight-character names created during the attack waves.