CVE-2025-68938 Overview
CVE-2025-68938 is an authorization flaw in Gitea, a self-hosted Git service written in Go. Versions before 1.25.2 mishandle authorization checks for the deletion of releases. The weakness maps to [CWE-863: Incorrect Authorization]. An unauthenticated network-based actor can trigger the flaw without user interaction, resulting in limited impact to availability. The Gitea project addressed the issue in version 1.25.2 through a pull request that corrects the authorization logic. Because Gitea hosts source code, release artifacts, and CI/CD workflows, unauthorized deletion of releases can disrupt software supply chains and downstream consumers that depend on tagged binaries.
Critical Impact
Improper authorization allows deletion of Gitea releases by actors who should not have delete permissions, affecting integrity of published release artifacts and availability of downloadable software packages.
Affected Products
- Gitea versions prior to 1.25.2
- Self-hosted Gitea instances exposed to network access
- Gitea deployments using the standard release management feature
Discovery Timeline
- 2025-12-26 - CVE-2025-68938 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68938
Vulnerability Analysis
The vulnerability is a broken access control issue in Gitea's release management subsystem. Gitea exposes REST API endpoints and web routes that allow repository maintainers to publish and delete releases associated with Git tags. Prior to version 1.25.2, the deletion handler failed to fully verify that the caller held the required permission on the target repository before removing the release object. This class of flaw is categorized under [CWE-863: Incorrect Authorization], where a permission check exists but does not correctly enforce policy for all code paths.
An actor reaching the release deletion endpoint can remove release records without holding the appropriate role on the repository. The impact is limited to availability of the release artifact metadata, aligning with the vector components that indicate no confidentiality or integrity impact on the wider system but measurable impact to availability. The upstream fix is tracked in pull request #36002, which corrects the permission check inside the release deletion path.
Root Cause
The root cause is a missing or insufficient authorization check in the release deletion handler. The code path did not consistently validate that the requesting user held write permission on releases for the target repository before proceeding to remove the record.
Attack Vector
Exploitation occurs over the network against a Gitea HTTP endpoint that handles release deletion. No user interaction is required. The attack complexity is low, and successful exploitation removes release entries, which can break dependent build pipelines and package consumers. See the Gitea 1.25.2 release notes for the vendor description of the fix.
No public proof-of-concept exploit code is available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-68938
Indicators of Compromise
- Unexpected DELETE requests to Gitea release API endpoints such as /api/v1/repos/{owner}/{repo}/releases/{id} originating from unusual accounts or IP addresses.
- Audit log entries showing release removals performed by users without documented maintainer or owner roles on the affected repository.
- Missing release tags or artifacts on repositories that previously had a stable release history.
Detection Strategies
- Review Gitea application logs and reverse proxy access logs for HTTP DELETE calls against /releases/ paths and correlate with the acting user identity.
- Enable and monitor Gitea's built-in action feed and admin audit logging for release deletion events across all repositories.
- Compare current release inventories against known-good snapshots or upstream mirrors to identify missing releases.
Monitoring Recommendations
- Forward Gitea web server and application logs to a centralized SIEM or data lake and alert on release deletion events performed by non-owner accounts.
- Track anomalous rates of release deletion across the Gitea tenant, especially from single source IPs or API tokens.
- Alert on release deletions occurring outside of change windows or performed by service accounts not associated with release automation.
How to Mitigate CVE-2025-68938
Immediate Actions Required
- Upgrade all Gitea instances to version 1.25.2 or later, as published in the Gitea v1.25.2 release.
- Inventory internet-facing Gitea deployments and prioritize patching those exposed to untrusted networks.
- Audit recent release deletion activity across repositories to identify any unauthorized removals prior to patching.
Patch Information
The Gitea project fixed the authorization check in version 1.25.2. The relevant change is included in pull request #36002, which enforces correct permission validation on the release deletion code path. Administrators should review the Gitea 1.25.2 release announcement for full upgrade notes.
Workarounds
- Restrict network access to the Gitea web interface and API using a reverse proxy, VPN, or IP allow-listing until the patch is applied.
- Reduce the number of accounts with write access to repositories to limit the blast radius of authorization mistakes.
- Back up release metadata and artifacts to an external location so that removed releases can be restored if abuse is detected.
# Example: verify installed Gitea version and upgrade to 1.25.2 or later
gitea --version
# Docker-based upgrade example
docker pull gitea/gitea:1.25.2
docker stop gitea && docker rm gitea
docker run -d --name gitea \
-p 3000:3000 -p 222:22 \
-v /var/lib/gitea:/data \
gitea/gitea:1.25.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

