CVE-2025-65852
published 2026-02-06CVE-2025-65852: Gogs has authorization bypass in repository deletion API ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation…
medium
Gogs has authorization bypass in repository deletion API
### Summary
The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.
This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().
### Details
0. vulnerability location:
- Vulnerable Endpoint:DELETE /api/v1/repos/:owner/:repo
- Routing configuration file: internal/route/api/v1/api.go (approximately line 253)
- Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)
1. Root Cause Analysis
Code Location 1: API Route Configuration (internal/route/api/v1/api.go ~ line 253)
```go
// 当前的路由配置(存在漏洞)
m.Delete("", repo.Delete) // 仅继承了外层的 repoAssignment() 中间件
```
Code Location 2: Delete Function Implementation (internal/route/api/v1/repo/repo.go ~ lines 320-338)
```go
// Delete 函数内部没有额外的权限检查
func Delete(c *context.APIContext) {
// 直接执行删除操作,未验证用户是否为所有者
if err := models.DeleteRepository(c.User.ID, c.Repo.Repository.ID); err != nil {
c.Error(500, "DeleteRepository", err)
return
}
c.Status(204)
}
```
2. Missing Permission Check
Comparison with route configurations for other sensitive operations:
```go
// Webhooks 管理(正确实现)
m.Group("/hooks", func() {
m.Combo("").
Get(repo.ListHooks).
Post(bind(api.CreateHookOption{}), repo.CreateHook)
}, reqRepoAdmin()) // ✅ 使用了权限中间件
// 部署密钥管理(正确实现)
m.Group("/keys", func() {
m.Combo("").
Get(repo.ListDeployKeys).
Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
}, reqRepoAdmin()) // ✅ 使用了权限中间件
// 删除仓库(漏洞)
m.Delete("", repo.Delete) // ❌ 没有使用权限中间件
```
3. Data Flow Path
- API Request Path: DELETE /api/v1/repos/:owner/:repo
- Route Handling: The outer middleware repoAssignment() verifies that the user has read access (Passed).
- Execution: The system directly executes thAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.13.4 | 0.13.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs has authorization bypass in repository deletion API in gogs.io/gogs
osv·2026-02-17
CVE-2025-65852 Gogs has authorization bypass in repository deletion API in gogs.io/gogs
Gogs has authorization bypass in repository deletion API in gogs.io/gogs
Gogs has authorization bypass in repository deletion API in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.13.4.
OSV
Gogs has authorization bypass in repository deletion API
osv·2026-02-06
CVE-2025-65852 [MEDIUM] Gogs has authorization bypass in repository deletion API
Gogs has authorization bypass in repository deletion API
### Summary
The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.
This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().
### Details
0. vulnerability location:
- Vulnerable Endpoint:DELETE /api/v1/repos/:owner/:repo
- Routing configuration file: internal/route/api/v1/api.go (approximately line 253)
- Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)
1. Root Cause Analysis
Code Location 1: API Route Config
GHSA
Gogs has authorization bypass in repository deletion API
ghsa·2026-02-06
CVE-2025-65852 [MEDIUM] CWE-284 Gogs has authorization bypass in repository deletion API
Gogs has authorization bypass in repository deletion API
### Summary
The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.
This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().
### Details
0. vulnerability location:
- Vulnerable Endpoint:DELETE /api/v1/repos/:owner/:repo
- Routing configuration file: internal/route/api/v1/api.go (approximately line 253)
- Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)
1. Root Cause Analysis
Code Location 1: API Route Config
No detection rules found.
No public exploits indexed.
2026-02-06
Published