Gitea <1.23.0: Attachment API Bypasses Forbidden Extension Check
CVE-2025-68939 Published on December 26, 2025

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

NVD

Vulnerability Analysis

CVE-2025-68939 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.


Products Associated with CVE-2025-68939

Want to know whenever a new CVE is published for Gitea? stack.watch will email you.

Gitea
 

Affected Versions

Gitea:

Exploit Probability

EPSS
0.01%
Percentile
1.49%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.