CVE-2025-68940
Unknown Unknown - Not Provided
Improper Permission Enforcement in Gitea Branch Deletion Post-Merge

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68940
EUVD
EUVD-2025-205410
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea 1.22.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Gitea before version 1.22.5 involves improper enforcement of branch deletion permissions after merging a pull request. Specifically, the system did not adequately verify whether a user had the necessary rights to delete branches, potentially allowing unauthorized users to delete branches in a repository. This flaw was fixed by refactoring the permission checking logic to ensure only authorized users can delete branches, adding additional permission checks, error handling, and comprehensive tests to prevent unauthorized branch deletions. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to delete branches in your Gitea repositories after merging pull requests. Such unauthorized deletions could disrupt your development workflow, cause loss of important code branches, and potentially affect the integrity and stability of your codebase. It may also lead to confusion among team members and require recovery efforts to restore deleted branches. [1, 2]

Detection Guidance

This vulnerability relates to improper enforcement of branch deletion permissions in Gitea before version 1.22.5. Detection would involve verifying if your Gitea instance is running a version prior to 1.22.5. You can check the Gitea version by running the command `gitea --version` on the server hosting Gitea. Additionally, reviewing branch deletion logs or audit trails for unauthorized branch deletions may help detect exploitation attempts. There are no specific commands provided in the resources for detecting this vulnerability beyond version checking and log review. [1, 2, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade your Gitea installation to version 1.22.5 or later, where the branch deletion permission enforcement issue has been fixed. This update includes the security fix implemented in pull request #32654, which ensures proper permission checks on branch deletion after merging pull requests. Users are strongly advised to apply this update promptly to prevent unauthorized branch deletions. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart