CVE-2025-68945
Unauthorized Access in Gitea Before 1.21.2 Allows Private Project Exposure
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitea | gitea | 1.21.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Gitea before version 1.21.2 allowed an anonymous user to access a private user's project without proper authorization. The issue was due to missing permission checks that failed to restrict access to private projects. The fix involved adding comprehensive permission verification both in the user interface and API routes to ensure that private projects are only accessible to authorized users. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of private project information to anonymous users. This means sensitive or confidential data stored in private user projects could be exposed to anyone without authentication, potentially leading to data leaks or misuse of private project content. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can check if your Gitea instance is running a version prior to 1.21.2, as versions before this allow anonymous users to access private user projects. There are no specific commands provided in the resources to detect unauthorized access attempts directly. However, monitoring access logs for anonymous requests accessing private project URLs or API endpoints related to private user projects could help identify exploitation attempts. Additionally, verifying the Gitea version via command line (e.g., `gitea --version` or checking the installed package version) can confirm if the vulnerable version is in use. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade your Gitea installation to version 1.21.2 or later, which includes the security fix for CVE-2025-68945. This update implements missing permission checks to prevent anonymous access to private user projects. Additionally, rebuilding Gitea with the latest Go language version as done in the 1.21.2 release is recommended. Prompt upgrading is strongly advised to close the security gap and prevent unauthorized access. [2, 3]