CVE-2025-68938
Unknown Unknown - Not Provided

Authorization Bypass in Gitea Releases Deletion Before

Vulnerability report for CVE-2025-68938, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description

Gitea before 1.25.2 mishandles authorization for deletion of releases.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-07-06
AI Q&A
2025-12-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea 1.25.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-68938 is a security vulnerability in Gitea versions before 1.25.2 where the software mishandles authorization for deleting releases. This means that the permission checks controlling who can delete releases were flawed, potentially allowing unauthorized users to delete release tags or content. The fix involved correcting permission checks to ensure only properly authorized users can perform deletion actions, along with other related permission and authentication improvements. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to delete releases in your Gitea repository, which could lead to loss of important release data or disruption of your software distribution. Although it does not affect confidentiality or integrity of the code directly, it can cause availability issues by removing release artifacts. Additionally, improper authorization could lead to privilege escalation or unauthorized actions within your repository management. [2, 3]

Detection Guidance

Detection of this vulnerability involves verifying if your Gitea instance is running a version prior to 1.25.2, as those versions mishandle authorization for deletion of releases. You can check the Gitea version by running the command `gitea --version` on the server hosting Gitea. Additionally, monitoring API calls related to release deletion for unauthorized attempts or unexpected HTTP 200 responses when unauthorized users attempt deletions may help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [1, 2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade your Gitea instance to version 1.25.2 or later, which includes fixes for CVE-2025-68938. This update corrects permission validations for deleting releases and other related security improvements. If upgrading immediately is not possible, restrict access to the release deletion functionality to trusted users only and monitor logs for suspicious activity. Applying the official patch or update from the Gitea project is strongly recommended to ensure proper authorization handling. [1, 2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart