CVE-2025-68939
Insecure File Extension Bypass in Gitea Attachments API
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitea | gitea | 1.23.1 |
| gitea | gitea | 1.23.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-424 | The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68939 is a vulnerability in the Gitea platform before version 1.23.0 where attackers with repository write access or issue posting rights could bypass file extension restrictions by editing attachment names via the attachment API. This allowed them to add attachments with forbidden file extensions, potentially uploading unsafe or malicious files. The issue existed because the verification logic only checked file extensions superficially and did not consider MIME types or empty files properly. The fix introduced strict validation of both file extensions and MIME types during upload and edit operations, disallowing empty files and preventing users from circumventing restrictions by renaming attachments. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to upload or rename attachments with disallowed or potentially dangerous file types in your Gitea repositories or issues. This could lead to security risks such as execution of malicious code, distribution of malware, or unauthorized access through unsafe files. Since the vulnerability allows bypassing file extension restrictions, it undermines the security controls intended to prevent unsafe file uploads, potentially compromising the integrity and security of your Gitea instance. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-68939 involves monitoring for attempts to upload or rename attachments with forbidden file extensions via the Gitea attachment API. Since the vulnerability allows bypassing file extension restrictions by editing attachment names, you can detect suspicious API calls that modify attachment names to include disallowed extensions. Specific commands are not provided in the resources, but general approaches include: - Reviewing Gitea server logs for API requests to attachment endpoints that include file extension changes. - Using network monitoring tools to capture and analyze HTTP requests to the attachment API for suspicious file extension edits. - Employing custom scripts or API audit tools to query attachments and verify if any have forbidden extensions despite restrictions. No explicit commands are detailed in the provided resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Gitea to version 1.23.0 or later, where the vulnerability is fixed by enforcing strict file extension and MIME type checks in the attachment API, preventing bypass via attachment name edits. Additionally, it is recommended to back up your data before upgrading and review configuration changes introduced in the new version. Applying the patch that includes the fix (#32151) ensures that empty files are disallowed and both file extensions and MIME types are validated consistently. If upgrading immediately is not possible, consider restricting repository write access and issue poster permissions to trusted users to reduce risk. [1, 2, 3]