CVE-2025-68938
Unknown Unknown - Not Provided
Authorization Bypass in Gitea Releases Deletion Before

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
Gitea before 1.25.2 mishandles authorization for deletion of releases.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68938
EUVD
EUVD-2025-205406
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea 1.25.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68938 is a security vulnerability in Gitea versions before 1.25.2 where the software mishandles authorization for deleting releases. This means that the permission checks controlling who can delete releases were flawed, potentially allowing unauthorized users to delete release tags or content. The fix involved correcting permission checks to ensure only properly authorized users can perform deletion actions, along with other related permission and authentication improvements. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to delete releases in your Gitea repository, which could lead to loss of important release data or disruption of your software distribution. Although it does not affect confidentiality or integrity of the code directly, it can cause availability issues by removing release artifacts. Additionally, improper authorization could lead to privilege escalation or unauthorized actions within your repository management. [2, 3]

Detection Guidance

Detection of this vulnerability involves verifying if your Gitea instance is running a version prior to 1.25.2, as those versions mishandle authorization for deletion of releases. You can check the Gitea version by running the command `gitea --version` on the server hosting Gitea. Additionally, monitoring API calls related to release deletion for unauthorized attempts or unexpected HTTP 200 responses when unauthorized users attempt deletions may help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [1, 2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade your Gitea instance to version 1.25.2 or later, which includes fixes for CVE-2025-68938. This update corrects permission validations for deleting releases and other related security improvements. If upgrading immediately is not possible, restrict access to the release deletion functionality to trusted users only and monitor logs for suspicious activity. Applying the official patch or update from the Gitea project is strongly recommended to ensure proper authorization handling. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart