CVE-2025-68945 – This vulnerability allows anonymous users to ac... (How to Fix)

Q: What is the severity of CVE-2025-68945?

CVE-2025-68945 has a CVSS score of 5.8 (MEDIUM). This vulnerability allows anonymous users to access private projects belonging to other users in Gitea instances. It affects all Gitea installations running versions before 1.21.2 where private repositories are used.

📋 TL;DR

This vulnerability allows anonymous users to access private projects belonging to other users in Gitea instances. It affects all Gitea installations running versions before 1.21.2 where private repositories are used.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.21.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with private repositories. Public repositories are not impacted.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive source code, intellectual property, or confidential data stored in private repositories, potentially leading to data breaches or competitive intelligence gathering.

🟠

Likely Case

Exposure of private repositories to anonymous users, compromising repository confidentiality and potentially exposing sensitive code or configuration files.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent anonymous users from reaching the Gitea instance, or if all repositories are already public.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill - simply visiting URLs of private projects as an anonymous user.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.2

Vendor Advisory: https://blog.gitea.com/release-of-1.21.2/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.21.2 or later from official releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable Anonymous Access

all

Configure Gitea to require authentication for all access, preventing anonymous users from reaching any content.

Edit app.ini: ENABLE_ANONYMOUS_ACCESS = false
Restart Gitea: systemctl restart gitea

Network Access Control

linux

Restrict network access to Gitea instance using firewall rules to only allow authenticated users.

iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to prevent anonymous users from accessing the Gitea instance
Convert all private repositories to public temporarily if they don't contain sensitive information

🔍 How to Verify

Check if Vulnerable:

Check if Gitea version is below 1.21.2 and test anonymous access to known private repository URLs.

Check Version:

./gitea --version or check web interface admin panel

Verify Fix Applied:

After patching, attempt to access private repository URLs as anonymous user - should receive 404 or authentication prompt.

📡 Detection & Monitoring

Log Indicators:

Anonymous user accessing private repository paths in access logs
404 errors for private repos from authenticated users after fix

Network Indicators:

Unusual traffic patterns to private repository URLs from unauthenticated sources

SIEM Query:

source="gitea.log" AND (anonymous OR unauthenticated) AND (private OR repo) AND status=200

📊 Metadata

CVE ID: CVE-2025-68945

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-359

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: December 26, 2025

Last Updated: December 31, 2025

🔗 References

https://blog.gitea.com/release-of-1.21.2/ Release Notes
https://github.com/go-gitea/gitea/pull/28423 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.21.2 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68945, you might also want to check these: