CVE-2025-68944 – Gitea versions before 1.22.2 have a token scope... (How to Fix)

Q: What is the severity of CVE-2025-68944?

CVE-2025-68944 has a CVSS score of 5.0 (MEDIUM). Gitea versions before 1.22.2 have a token scope propagation flaw in package registries that could allow authenticated users to access resources beyond their intended permissions. This affects all Gitea instances using package registries with the vulnerable versions. The vulnerability requires an authenticated user account to exploit.

📋 TL;DR

Gitea versions before 1.22.2 have a token scope propagation flaw in package registries that could allow authenticated users to access resources beyond their intended permissions. This affects all Gitea instances using package registries with the vulnerable versions. The vulnerability requires an authenticated user account to exploit.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.22.2

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Gitea instances using package registries feature. The vulnerability is present in default configurations when package registries are enabled.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could access private packages, repositories, or other resources they shouldn't have permission to view or modify, potentially leading to data exposure or unauthorized modifications.

🟠

Likely Case

Authenticated users accidentally or intentionally gaining access to package registry resources they shouldn't have permissions for, leading to information disclosure.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor permission boundary violations that can be detected and contained.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires an authenticated user account and understanding of Gitea's package registry system. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.2

Vendor Advisory: https://blog.gitea.com/release-of-1.22.2/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.22.2 or later from official releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable Package Registries

all

Temporarily disable Gitea package registries to prevent exploitation while planning upgrade

Edit app.ini configuration: [packages] ENABLED = false
Restart Gitea service

🧯 If You Can't Patch

Implement strict access controls and monitor package registry usage logs for suspicious activity
Restrict package registry access to only trusted users and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface Admin Panel or run: ./gitea --version

Check Version:

./gitea --version

Verify Fix Applied:

Confirm version is 1.22.2 or later and test package registry permissions with different user accounts

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to package registry endpoints
Users accessing packages outside their normal scope patterns

Network Indicators:

Unusual API calls to /api/packages endpoints from users without appropriate permissions

SIEM Query:

source="gitea.log" AND ("package" OR "registry") AND ("permission denied" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-68944

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-441

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: December 26, 2025

Last Updated: December 31, 2025

🔗 References

https://blog.gitea.com/release-of-1.22.2/ Release Notes
https://github.com/go-gitea/gitea/pull/31967 Issue Tracking
https://github.com/go-gitea/gitea/releases/tag/v1.22.2 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68944, you might also want to check these: