CVE-2025-68943 Overview
CVE-2025-68943 is an information disclosure vulnerability in Gitea versions prior to 1.21.8. The flaw allows unauthenticated users to enumerate login timestamps for any Gitea user by leveraging the lastlogintime sort parameter on the explore/users endpoint. The exposed metadata was intended to remain private but became inferable through sort order manipulation. This vulnerability is categorized under [CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere].
Critical Impact
Remote unauthenticated attackers can enumerate user login activity patterns, enabling reconnaissance for targeted phishing, credential stuffing, or account takeover campaigns against active Gitea users.
Affected Products
- Gitea versions prior to 1.21.8
- Self-hosted Gitea instances exposing the explore/users endpoint
- Gitea deployments permitting public user directory browsing
Discovery Timeline
- 2025-12-26 - CVE-2025-68943 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68943
Vulnerability Analysis
Gitea exposes a public user directory at the explore/users route that supports multiple sort orders. Prior to version 1.21.8, the sort options included lastlogintime, which ordered results by the private last_login_unix field stored in the user database. While the individual timestamp values were not directly rendered in the response body, the resulting user ordering leaked the underlying data.
An attacker iterating through paginated results can infer the relative recency of each user's last login. Combined with binary-search style queries using additional filters, attackers can approximate absolute login times without any authentication. This transforms non-public backend metadata into observable state through ordering side effects.
Root Cause
The root cause is improper exposure of internal sort fields to the public-facing user explorer. The lastlogintime sort key referenced a database column that should have been restricted to administrators. The endpoint lacked authorization checks tying sort capabilities to the requesting user's privilege level. The fix in pull request go-gitea/gitea#29430 removes the lastlogintime sort option from the public explorer.
Attack Vector
Exploitation requires only network access to a Gitea instance with public user browsing enabled. An unauthenticated attacker issues HTTP GET requests to the /explore/users endpoint with the sort=newest and sort=oldest parameters manipulated to include lastlogintime ordering. The returned HTML page reveals user rankings by login recency, which the attacker parses to build a target list of active accounts.
The vulnerability manifests through the sort parameter handling on the users explore route. See the GitHub Gitea Pull Request for the exact code changes that removed the vulnerable sort option.
Detection Methods for CVE-2025-68943
Indicators of Compromise
- HTTP GET requests to /explore/users containing sort=lastlogintime or similar login-time sort parameters
- Repeated paginated requests to /explore/users from a single source IP scraping the full user list
- User-agent strings consistent with scraping frameworks or automated HTTP clients accessing the explorer endpoint
Detection Strategies
- Parse Gitea access logs for the string lastlogintime within query strings on the explore/users route
- Baseline normal traffic volume to /explore/users and alert on sustained enumeration patterns
- Correlate anomalous explorer access with subsequent authentication failures targeting the enumerated accounts
Monitoring Recommendations
- Forward Gitea reverse proxy logs (nginx, Caddy, Traefik) to a centralized logging platform for query string inspection
- Enable rate limiting alerts on the explore/users endpoint at the web application firewall
- Track the running Gitea version across all self-hosted instances and flag any deployment below 1.21.8
How to Mitigate CVE-2025-68943
Immediate Actions Required
- Upgrade Gitea to version 1.21.8 or later, referencing the Gitea Release v1.21.8 notes
- Audit the app.ini configuration and disable public user browsing if not required for your workflow
- Review reverse proxy logs for historical exploitation attempts using the lastlogintime sort parameter
Patch Information
Gitea released the fix in version 1.21.8. The upstream commit removes the lastlogintime sort option from the public user explorer. See the Gitea Blog Release Announcement for full release notes covering versions 1.21.8, 1.21.9, and 1.21.10. Administrators should validate the running version with gitea --version after upgrade.
Workarounds
- Set [service] REQUIRE_SIGNIN_VIEW = true in app.ini to require authentication before accessing the user explorer
- Block or rate-limit requests containing sort=lastlogintime at the reverse proxy layer until the patch is applied
- Restrict access to the /explore routes via network ACLs when the instance is intended for internal use only
# Configuration example - app.ini
[service]
REQUIRE_SIGNIN_VIEW = true
[service.explore]
DISABLE_USERS_PAGE = true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

