CVE-2025-68944Confused Deputy in Gitea

CWE-441Confused Deputy6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 98.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Code.gitea.io GiteaGitea
Timeline
PublishedDec 26
Latest updateDec 30

Description

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDgitea/gitea< 1.22.2
Gocode.gitea.io/gitea< 1.22.2

🔴Vulnerability Details

3
OSV
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea2025-12-30
OSV
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries2025-12-26
GHSA
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries2025-12-26

📋Vendor Advisories

1
Red Hat
gitea: Gitea: Access control bypass in package registries2025-12-26

🕵️Threat Intelligence

1
Wiz
CVE-2025-68944 Impact, Exploitability, and Mitigation Steps | Wiz