CVE-2025-68938 – Gitea versions before 1.25.2 have an authorizat... (How to Fix)

Q: What is the severity of CVE-2025-68938?

CVE-2025-68938 has a CVSS score of 4.3 (MEDIUM). Gitea versions before 1.25.2 have an authorization flaw that allows users to delete releases they shouldn't have permission to delete. This affects all Gitea instances running vulnerable versions where users have repository access. The vulnerability stems from improper authorization checks during release deletion operations.

📋 TL;DR

Gitea versions before 1.25.2 have an authorization flaw that allows users to delete releases they shouldn't have permission to delete. This affects all Gitea instances running vulnerable versions where users have repository access. The vulnerability stems from improper authorization checks during release deletion operations.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.25.2

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Gitea deployments with releases feature enabled. The vulnerability is in the authorization logic, not dependent on specific configurations.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious or compromised users could delete important software releases, causing data loss, disrupting deployment pipelines, and potentially enabling supply chain attacks by removing legitimate releases.

🟠

Likely Case

Users with repository access could accidentally or intentionally delete releases they shouldn't have permission to delete, causing minor to moderate disruption depending on the importance of the deleted releases.

🟢

If Mitigated

With proper access controls and monitoring, impact would be limited to authorized users making mistakes, with audit trails available for recovery.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to a repository. The vulnerability is in authorization logic, making exploitation straightforward for users with any repository access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.2

Vendor Advisory: https://blog.gitea.com/release-of-1.25.2/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.2 from https://github.com/go-gitea/gitea/releases/tag/v1.25.2. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the version is now 1.25.2.

🔧 Temporary Workarounds

Disable release deletion permissions

all

Temporarily restrict release deletion to administrators only through repository settings

Implement external authorization

all

Use external authentication/authorization systems with stricter controls

🧯 If You Can't Patch

Implement strict access controls and review user permissions regularly
Enable comprehensive logging and monitoring for release deletion events

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface admin panel or run: ./gitea --version

Check Version:

./gitea --version

Verify Fix Applied:

After patching, verify version is 1.25.2 or later and test release deletion permissions with non-admin users

📡 Detection & Monitoring

Log Indicators:

Unauthorized release deletion attempts in Gitea logs
Release deletion events from non-admin users

Network Indicators:

HTTP DELETE requests to /api/v1/repos/*/releases/* endpoints from unauthorized users

SIEM Query:

source="gitea.log" AND "release" AND "delete" AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2025-68938

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-863

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: December 26, 2025

Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68938, you might also want to check these: