CVE-2025-68942 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-68942?

CVE-2025-68942 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Gitea allows attackers to inject malicious scripts into the search input box for creating tags and branches. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing unauthorized actions. All Gitea instances running versions before 1.22.2 are affected.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Gitea allows attackers to inject malicious scripts into the search input box for creating tags and branches. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing unauthorized actions. All Gitea instances running versions before 1.22.2 are affected.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.22.2

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea deployments using the web interface are vulnerable regardless of configuration.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the Gitea instance, and potentially compromise the entire development infrastructure.

🟠

Likely Case

Attackers steal user session cookies to access repositories, modify code, or exfiltrate sensitive source code and credentials.

🟢

If Mitigated

Script execution is blocked by Content Security Policy (CSP) or other browser protections, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (victim must click a crafted link) but uses standard XSS techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.2

Vendor Advisory: https://blog.gitea.com/release-of-1.22.2/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.22.2 from https://github.com/go-gitea/gitea/releases/tag/v1.22.2. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service.

🔧 Temporary Workarounds

Content Security Policy (CSP)

all

Implement a strict CSP header to block inline script execution and restrict script sources.

Add 'Content-Security-Policy: script-src 'self'' to web server headers

🧯 If You Can't Patch

Disable user registration and limit access to trusted users only
Implement a Web Application Firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface admin panel or run './gitea --version' on server.

Check Version:

./gitea --version

Verify Fix Applied:

Verify version is 1.22.2 or higher and test search input box for script execution.

📡 Detection & Monitoring

Log Indicators:

Unusual search queries containing script tags or JavaScript in access logs

Network Indicators:

HTTP requests with script payloads in query parameters

SIEM Query:

web.access: * AND (url: *search* OR url: *tag* OR url: *branch*) AND (query: *<script>* OR query: *javascript:* OR query: *onerror=*)

📊 Metadata

CVE ID: CVE-2025-68942

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: December 26, 2025

Last Updated: January 2, 2026

🔗 References

https://blog.gitea.com/release-of-1.22.2/ Release Notes
https://github.com/go-gitea/gitea/pull/31966 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.22.2 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68942, you might also want to check these: