CVE-2025-68943 – Gitea versions before 1.21.8 inadvertently disc... (How to Fix)

Q: What is the severity of CVE-2025-68943?

CVE-2025-68943 has a CVSS score of 5.3 (MEDIUM). Gitea versions before 1.21.8 inadvertently disclose users' login times through the explore/users API endpoint. This information leakage vulnerability allows attackers to determine when users last logged in, potentially revealing activity patterns. All Gitea instances running vulnerable versions are affected.

📋 TL;DR

Gitea versions before 1.21.8 inadvertently disclose users' login times through the explore/users API endpoint. This information leakage vulnerability allows attackers to determine when users last logged in, potentially revealing activity patterns. All Gitea instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.21.8

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Gitea installations with the explore/users endpoint accessible.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map user activity patterns to identify inactive accounts for takeover attempts, correlate login times with other attacks, or conduct reconnaissance for targeted social engineering.

🟠

Likely Case

Unauthorized users can gather intelligence about user activity patterns, potentially identifying administrators or inactive accounts for further targeting.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the explore/users endpoint with sorting capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.8 and later

Vendor Advisory: https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.21.8 or later from official releases. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the update was successful.

🔧 Temporary Workarounds

Disable explore/users endpoint

all

Restrict access to the explore/users API endpoint that exposes the vulnerable sorting functionality.

Modify Gitea configuration to restrict access to /explore/users endpoint

🧯 If You Can't Patch

Implement network-level access controls to restrict who can access the Gitea web interface
Enable detailed logging and monitoring for unusual access patterns to user exploration endpoints

🔍 How to Verify

Check if Vulnerable:

Check if your Gitea version is below 1.21.8 by accessing the web interface or running the version command.

Check Version:

./gitea --version

Verify Fix Applied:

After updating to 1.21.8 or later, verify that the lastlogintime sort option is no longer available in the explore/users endpoint.

📡 Detection & Monitoring

Log Indicators:

Unusual frequency of requests to /explore/users endpoint
Requests with sort parameters targeting lastlogintime

Network Indicators:

Repeated API calls to user exploration endpoints from single sources

SIEM Query:

source="gitea" AND (uri_path="/explore/users" OR uri_path="/api/v1/explore/users")

📊 Metadata

CVE ID: CVE-2025-68943

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-497

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: December 26, 2025

Last Updated: December 31, 2025

🔗 References

https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/ Release Notes
https://github.com/go-gitea/gitea/pull/29430 Issue Tracking
https://github.com/go-gitea/gitea/releases/tag/v1.21.8 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68943, you might also want to check these: