cbcvebase.
CVE-2025-65852
published 2026-02-06

CVE-2025-65852: Gogs has authorization bypass in repository deletion API ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation…

medium
Gogs has authorization bypass in repository deletion API

### Summary

The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.

This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().

### Details
0. vulnerability location:

- Vulnerable Endpoint:DELETE /api/v1/repos/:owner/:repo
- Routing configuration file: internal/route/api/v1/api.go (approximately line 253)
- Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)

1. Root Cause Analysis

Code Location 1: API Route Configuration (internal/route/api/v1/api.go ~ line 253)

```go
// 当前的路由配置(存在漏洞)
m.Delete("", repo.Delete) // 仅继承了外层的 repoAssignment() 中间件
```

Code Location 2: Delete Function Implementation (internal/route/api/v1/repo/repo.go ~ lines 320-338)
```go
// Delete 函数内部没有额外的权限检查
func Delete(c *context.APIContext) {
// 直接执行删除操作,未验证用户是否为所有者
if err := models.DeleteRepository(c.User.ID, c.Repo.Repository.ID); err != nil {
c.Error(500, "DeleteRepository", err)
return
}
c.Status(204)
}
```

2. Missing Permission Check
Comparison with route configurations for other sensitive operations:

```go
// Webhooks 管理(正确实现)
m.Group("/hooks", func() {
m.Combo("").
Get(repo.ListHooks).
Post(bind(api.CreateHookOption{}), repo.CreateHook)
}, reqRepoAdmin()) // ✅ 使用了权限中间件

// 部署密钥管理(正确实现)
m.Group("/keys", func() {
m.Combo("").
Get(repo.ListDeployKeys).
Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
}, reqRepoAdmin()) // ✅ 使用了权限中间件

// 删除仓库(漏洞)
m.Delete("", repo.Delete) // ❌ 没有使用权限中间件
```
3. Data Flow Path

- API Request Path: DELETE /api/v1/repos/:owner/:repo
- Route Handling: The outer middleware repoAssignment() verifies that the user has read access (Passed).
- Execution: The system directly executes th

Affected

1 ranges
VendorProductVersion rangeFixed in
gogs.iogogs>= 0 < 0.13.40.13.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.