CVE-2025-68943 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Gitea

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 98.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Gitea

Timeline

PublishedDec 26

Latest updateDec 30

Description

Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgitea/gitea< 1.21.8

▶Gocode.gitea.io/gitea< 1.21.8

🔴Vulnerability Details

OSV

Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea↗2025-12-30

▶

OSV

Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order↗2025-12-26

▶

GHSA

Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order↗2025-12-26

▶

📋Vendor Advisories

Red Hat

gitea: Gitea: Information disclosure of user login times via sort order↗2025-12-26

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68943 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶