Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68941

CVE-2025-68941: Gitea Auth Bypass Vulnerability

CVE-2025-68941 is an authentication bypass vulnerability in Gitea that allows unauthorized access to private resources using API tokens scoped for public access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-68941 Overview

CVE-2025-68941 is an improper authorization vulnerability in Gitea, an open-source self-hosted Git service. Gitea versions before 1.22.3 mishandle access checks when an API token scoped to public resources is used against private resources. Attackers with a public-scope token can retrieve information they should not be authorized to access. The flaw is tracked under CWE-863: Incorrect Authorization and affects the confidentiality of private repositories and related resources.

Critical Impact

An API token limited to public resources can be used to access private resources, breaking the token scope boundary and exposing confidential repository data.

Affected Products

  • Gitea versions prior to 1.22.3
  • Self-hosted Gitea instances exposing the REST API
  • Gitea deployments issuing scoped personal access tokens

Discovery Timeline

  • 2025-12-26 - CVE-2025-68941 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-68941

Vulnerability Analysis

Gitea supports scoped API tokens that restrict what a token can read or write. A token can be issued with a scope limited to public resources only. The vulnerability stems from an incomplete authorization check in the API request handler. When a request presented a public-scope token, the code failed to reject access to resources marked as private.

As a result, a caller holding a public-only token could enumerate or read private repository metadata and content belonging to the token owner or accessible to that user. The scope constraint intended to reduce token blast radius was not enforced consistently across API routes. The issue is a logic flaw, not a memory safety or injection defect.

Root Cause

The root cause is missing scope validation between the token's declared permission and the visibility attribute of the target resource. The authorization layer verified user access rights but did not cross-check the token scope against the resource's public or private classification. This gap allowed the token to inherit the underlying user's full read privileges rather than remaining bound to public data. The fix landed in Gitea Pull Request #32218 and shipped in the Gitea 1.22.3 release.

Attack Vector

Exploitation requires network access to the Gitea API and possession of a valid public-scope API token. An attacker who obtains or is granted such a token, for example through a compromised CI system or a third-party integration, can call private-resource endpoints and receive data. No user interaction and no elevated privileges are required beyond the token itself.

No public proof-of-concept code has been published. The vulnerability is described in prose in the vendor advisory rather than through a released exploit. See the Gitea 1.22.3 release notes for the fix reference.

Detection Methods for CVE-2025-68941

Indicators of Compromise

  • API access logs showing tokens with public-only scope successfully reading endpoints tied to private repositories.
  • Unexpected 200 OK responses on /api/v1/repos/{owner}/{private-repo} calls when the requesting token should be limited to public data.
  • Sudden increases in API read volume from integration accounts or CI service tokens.

Detection Strategies

  • Audit the Gitea instance version and confirm it is 1.22.3 or later.
  • Correlate API access logs with the token scope registry to flag any private-resource access performed by public-scope tokens.
  • Review token issuance records for tokens created before the patch date and rotate them.

Monitoring Recommendations

  • Forward Gitea API and application logs to a centralized log platform for retention and query.
  • Alert on API responses that return private repository payloads to callers that should be restricted by scope.
  • Track authentication events per token identifier to spot anomalous read patterns.

How to Mitigate CVE-2025-68941

Immediate Actions Required

  • Upgrade Gitea to version 1.22.3 or later on all self-hosted instances.
  • Revoke and reissue existing API tokens, especially those advertised as scoped to public resources.
  • Review historical API access logs for signs of private-resource reads by public-scope tokens.

Patch Information

The fix is included in Gitea 1.22.3. The upstream change is available in Gitea Pull Request #32218 and referenced in the Gitea 1.22.3 release announcement. Administrators should apply the vendor-supplied release for their deployment method, whether binary, Docker image, or package repository.

Workarounds

  • Avoid issuing tokens with public-only scope until the upgrade is complete, and instead rely on short-lived, tightly scoped credentials.
  • Restrict network access to the Gitea API to trusted networks and identity-verified clients.
  • Set repository visibility to private only where required and audit membership on sensitive repositories to reduce exposure surface.
bash
# Verify installed Gitea version and upgrade path
gitea --version
# Expected output should show 1.22.3 or later after upgrade

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.