CVE-2025-68940
📋 TL;DR
This vulnerability allows users with insufficient permissions to delete branches after merging pull requests in Gitea instances. It affects all Gitea deployments running versions before 1.22.5 where branch deletion functionality is enabled.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could delete important branches containing production code, documentation, or configuration files, causing service disruption or data loss.
Likely Case
Users with limited repository access could delete branches they shouldn't have permission to delete, potentially removing development work or important code history.
If Mitigated
With proper access controls and monitoring, impact would be limited to minor repository management issues that could be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access to a Gitea instance and the ability to merge pull requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.22.5
Vendor Advisory: https://blog.gitea.com/release-of-1.22.5/
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database
2. Download Gitea 1.22.5 or later from https://github.com/go-gitea/gitea/releases/tag/v1.22.5
3. Stop Gitea service
4. Replace the Gitea binary with the new version
5. Restart Gitea service
6. Verify the version is 1.22.5 or later
🔧 Temporary Workarounds
Disable branch deletion
allTemporarily disable branch deletion functionality for all repositories
Edit app.ini configuration file and set: [repository] DEFAULT_BRANCHES = main,master (or similar) to restrict branch operations
Restrict pull request merging
allLimit who can merge pull requests to trusted administrators only
Configure repository settings to require administrator approval for all pull request merges
🧯 If You Can't Patch
- Review and audit all branch deletion events in logs
- Implement additional monitoring for unauthorized branch deletions
- Ensure regular backups of all repositories are maintained
🔍 How to Verify
Check if Vulnerable:
Check if Gitea version is below 1.22.5 and branch deletion is enabled in repository settingsCheck Version:
./gitea --version or check the web interface footerVerify Fix Applied:
After upgrading, verify the version is 1.22.5 or later and test that branch deletion permissions are properly enforced📡 Detection & Monitoring
Log Indicators:
- Unauthorized branch deletion events in Gitea logs
- Branch deletion by users without proper permissions
Network Indicators:
- HTTP POST requests to branch deletion endpoints from unauthorized users
SIEM Query:
source="gitea.log" AND "branch" AND "delete" AND NOT user="admin"