CVE-2025-68940
Improper Permission Enforcement in Gitea Branch Deletion Post-Merge
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitea | gitea | 1.22.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Gitea before version 1.22.5 involves improper enforcement of branch deletion permissions after merging a pull request. Specifically, the system did not adequately verify whether a user had the necessary rights to delete branches, potentially allowing unauthorized users to delete branches in a repository. This flaw was fixed by refactoring the permission checking logic to ensure only authorized users can delete branches, adding additional permission checks, error handling, and comprehensive tests to prevent unauthorized branch deletions. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to delete branches in your Gitea repositories after merging pull requests. Such unauthorized deletions could disrupt your development workflow, cause loss of important code branches, and potentially affect the integrity and stability of your codebase. It may also lead to confusion among team members and require recovery efforts to restore deleted branches. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to improper enforcement of branch deletion permissions in Gitea before version 1.22.5. Detection would involve verifying if your Gitea instance is running a version prior to 1.22.5. You can check the Gitea version by running the command `gitea --version` on the server hosting Gitea. Additionally, reviewing branch deletion logs or audit trails for unauthorized branch deletions may help detect exploitation attempts. There are no specific commands provided in the resources for detecting this vulnerability beyond version checking and log review. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade your Gitea installation to version 1.22.5 or later, where the branch deletion permission enforcement issue has been fixed. This update includes the security fix implemented in pull request #32654, which ensures proper permission checks on branch deletion after merging pull requests. Users are strongly advised to apply this update promptly to prevent unauthorized branch deletions. [1, 2, 3]