CVE-2025-68939
Unknown Unknown - Not Provided
Insecure File Extension Bypass in Gitea Attachments API

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68939
EUVD
EUVD-2025-205411
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gitea gitea 1.23.1
gitea gitea 1.23.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-424 The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68939 is a vulnerability in the Gitea platform before version 1.23.0 where attackers with repository write access or issue posting rights could bypass file extension restrictions by editing attachment names via the attachment API. This allowed them to add attachments with forbidden file extensions, potentially uploading unsafe or malicious files. The issue existed because the verification logic only checked file extensions superficially and did not consider MIME types or empty files properly. The fix introduced strict validation of both file extensions and MIME types during upload and edit operations, disallowing empty files and preventing users from circumventing restrictions by renaming attachments. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to upload or rename attachments with disallowed or potentially dangerous file types in your Gitea repositories or issues. This could lead to security risks such as execution of malicious code, distribution of malware, or unauthorized access through unsafe files. Since the vulnerability allows bypassing file extension restrictions, it undermines the security controls intended to prevent unsafe file uploads, potentially compromising the integrity and security of your Gitea instance. [1, 2, 3]

Detection Guidance

Detection of CVE-2025-68939 involves monitoring for attempts to upload or rename attachments with forbidden file extensions via the Gitea attachment API. Since the vulnerability allows bypassing file extension restrictions by editing attachment names, you can detect suspicious API calls that modify attachment names to include disallowed extensions. Specific commands are not provided in the resources, but general approaches include: - Reviewing Gitea server logs for API requests to attachment endpoints that include file extension changes. - Using network monitoring tools to capture and analyze HTTP requests to the attachment API for suspicious file extension edits. - Employing custom scripts or API audit tools to query attachments and verify if any have forbidden extensions despite restrictions. No explicit commands are detailed in the provided resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Gitea to version 1.23.0 or later, where the vulnerability is fixed by enforcing strict file extension and MIME type checks in the attachment API, preventing bypass via attachment name edits. Additionally, it is recommended to back up your data before upgrading and review configuration changes introduced in the new version. Applying the patch that includes the fix (#32151) ensures that empty files are disallowed and both file extensions and MIME types are validated consistently. If upgrading immediately is not possible, consider restricting repository write access and issue poster permissions to trusted users to reduce risk. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart