CVE-2025-69413 — Observable Response Discrepancy in Gitea

CWE-204 — Observable Response Discrepancy6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 94.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Gitea

Timeline

PublishedJan 1

Latest updateJan 12

Description

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgitea/gitea< 1.25.2

▶Gocode.gitea.io/gitea< 1.25.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea↗2026-01-12

▶

OSV

Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists↗2026-01-01

▶

GHSA

Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists↗2026-01-01

▶

📋Vendor Advisories

Red Hat

Gitea: Gitea: Information disclosure via differing authentication responses↗2026-01-01

▶

🕵️Threat Intelligence

Wiz

CVE-2025-69413 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶