CVE-2025-68945
Unknown Unknown - Not Provided
Unauthorized Access in Gitea Before 1.21.2 Allows Private Project Exposure

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68945
EUVD
EUVD-2025-205424
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea 1.21.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Gitea before version 1.21.2 allowed an anonymous user to access a private user's project without proper authorization. The issue was due to missing permission checks that failed to restrict access to private projects. The fix involved adding comprehensive permission verification both in the user interface and API routes to ensure that private projects are only accessible to authorized users. [1]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of private project information to anonymous users. This means sensitive or confidential data stored in private user projects could be exposed to anyone without authentication, potentially leading to data leaks or misuse of private project content. [1, 2]

Detection Guidance

To detect this vulnerability, you can check if your Gitea instance is running a version prior to 1.21.2, as versions before this allow anonymous users to access private user projects. There are no specific commands provided in the resources to detect unauthorized access attempts directly. However, monitoring access logs for anonymous requests accessing private project URLs or API endpoints related to private user projects could help identify exploitation attempts. Additionally, verifying the Gitea version via command line (e.g., `gitea --version` or checking the installed package version) can confirm if the vulnerable version is in use. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade your Gitea installation to version 1.21.2 or later, which includes the security fix for CVE-2025-68945. This update implements missing permission checks to prevent anonymous access to private user projects. Additionally, rebuilding Gitea with the latest Go language version as done in the 1.21.2 release is recommended. Prompt upgrading is strongly advised to close the security gap and prevent unauthorized access. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart