CVE-2025-68944 Overview
CVE-2025-68944 affects Gitea versions before 1.22.2. The flaw resides in one of Gitea's built-in package registries, where the propagation of token scope for access control is mishandled. An attacker with a scoped access token may leverage this inconsistency to perform actions outside the intended scope, resulting in limited integrity impact. The issue is classified under [CWE-441] (Unintended Proxy or Intermediary, also known as Confused Deputy). Gitea addressed the flaw in release 1.22.2.
Critical Impact
A network-reachable attacker with a valid but scope-limited token can bypass intended scope restrictions in a Gitea package registry, achieving unintended write actions.
Affected Products
- Gitea versions prior to 1.22.2
- Self-hosted Gitea instances exposing package registries
- Deployments relying on scoped tokens for registry access control
Discovery Timeline
- 2025-12-26 - CVE-2025-68944 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68944
Vulnerability Analysis
Gitea supports scoped access tokens that restrict what an authenticated client may do against the API and its package registries. In versions before 1.22.2, the token scope was not consistently propagated through one of the package registry code paths. As a result, an operation the token should not have been authorized to perform could succeed under specific conditions.
The root weakness maps to [CWE-441], where an intermediary component acts on behalf of a caller without enforcing the caller's original authorization boundaries. The confidentiality of stored repository data is not directly affected, but package registry integrity is at risk because unauthorized modifications become possible.
See the Gitea 1.22.2 release notes and the corresponding pull request #31967 for the maintainer discussion of the fix.
Root Cause
The registry handler failed to re-evaluate the token's scope for every registry action. Scope information available at the authentication layer was not consistently threaded into the authorization decision inside the package registry logic, leading to a confused-deputy condition.
Attack Vector
Exploitation requires a network path to the Gitea instance and a valid Gitea access token. The attacker submits a request to the affected package registry endpoint using a token whose scope should exclude the requested action. Because the scope check is not correctly propagated, the request is honored. No user interaction is required, and the attacker does not need elevated privileges beyond possession of any valid token.
No verified public exploit code is available for this issue.
Detection Methods for CVE-2025-68944
Indicators of Compromise
- Package registry write events performed by tokens whose declared scopes should not permit the action.
- Unexpected package uploads, updates, or deletions in Gitea audit logs on versions prior to 1.22.2.
- Registry API calls returning HTTP 2xx where policy would predict 401 or 403.
Detection Strategies
- Correlate Gitea access logs against the token scope catalog to flag operations that exceed the token's assigned scope.
- Baseline normal per-token package registry activity and alert on deviations, especially write operations from tokens historically used for read-only automation.
- Review Gitea audit events for package publishes originating from service tokens tied to CI systems that should not publish.
Monitoring Recommendations
- Forward Gitea application and access logs to a centralized log platform and retain sufficient history to investigate token misuse.
- Track the Gitea version currently deployed and alert when instances fall behind the fixed release 1.22.2.
- Monitor package registry endpoints for anomalous request patterns following token issuance or rotation events.
How to Mitigate CVE-2025-68944
Immediate Actions Required
- Upgrade all Gitea instances to version 1.22.2 or later using the artifacts listed on the Gitea v1.22.2 release page.
- Audit existing access tokens and revoke any that are unused, overly scoped, or issued to decommissioned automation.
- Rotate tokens used by CI/CD pipelines and package publishers after upgrading.
Patch Information
Gitea fixed the token scope propagation issue in release 1.22.2. The change is described in the Gitea 1.22.2 release blog post and merged via pull request #31967. Administrators should upgrade using their standard deployment method, whether binary, Docker image, or Helm chart.
Workarounds
- Restrict network access to the Gitea package registry endpoints to trusted CI runners and internal networks until upgrading.
- Reduce the number of active tokens and issue narrowly scoped, short-lived tokens where possible.
- Disable unused package registry types in the Gitea configuration to reduce the attack surface.
# Verify the installed Gitea version and upgrade path
gitea --version
# Example Docker upgrade to the fixed release
docker pull gitea/gitea:1.22.2
docker stop gitea && docker rm gitea
docker run -d --name=gitea \
-v /var/lib/gitea:/data \
-p 3000:3000 -p 222:22 \
gitea/gitea:1.22.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

