CVE-2025-68940 - OpenCVE

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Gitea	Gitea

No data.

No data.

References

Link	Providers
https://blog.gitea.com/release-of-1.22.5/
https://github.com/go-gitea/gitea/pull/32654
https://github.com/go-gitea/gitea/releases/tag/v1.22.5
https://nvd.nist.gov/vuln/detail/CVE-2025-68940
https://www.cve.org/CVERecord?id=CVE-2025-68940

History

Sat, 27 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		gitea: Gitea: Unauthorized branch deletion due to inadequate permission enforcement
References		https://nvd.nist.gov/vuln/detail/CVE-2025-68940 https://www.cve.org/CVERecord?id=CVE-2025-68940
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 26 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Dec 2025 02:45:00 +0000

Type	Values Removed	Values Added
Description		In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
First Time appeared		Gitea Gitea gitea
Weaknesses		CWE-863
CPEs		cpe:2.3:a:gitea:gitea::::::::
Vendors & Products		Gitea Gitea gitea
References		https://blog.gitea.com/release-of-1.22.5/ https://github.com/go-gitea/gitea/pull/32654 https://github.com/go-gitea/gitea/releases/tag/v1.22.5
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-26T02:14:52.076Z

Updated: 2025-12-26T18:57:56.965Z

Reserved: 2025-12-26T02:14:51.782Z

Link: CVE-2025-68940

Vulnrichment

Updated: 2025-12-26T14:42:21.295Z

NVD

Status : Received

Published: 2025-12-26T03:15:50.810

Modified: 2025-12-26T03:15:50.810

Link: CVE-2025-68940

Redhat

Severity : Low

Publid Date: 2025-12-26T02:14:52Z

Links: CVE-2025-68940 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68940", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T02:14:51.782Z", "datePublished": "2025-12-26T02:14:52.076Z", "dateUpdated": "2025-12-26T18:57:56.965Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.22.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.5"}]}]}], "descriptions": [{"lang": "en", "value": "In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:57:56.965Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.22.5/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.5"}, {"url": "https://github.com/go-gitea/gitea/pull/32654"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T14:42:20.321275Z", "id": "CVE-2025-68940", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:50:55.781Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T14:42:20.321275Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:42:21.295Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.5", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.22.5/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.5"}, {"url": "https://github.com/go-gitea/gitea/pull/32654"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.22.5"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:57:56.965Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68940", "state": "PUBLISHED", "dateUpdated": "2025-12-26T18:57:56.965Z", "dateReserved": "2025-12-26T02:14:51.782Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T02:14:52.076Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"bugzilla": {"description": "gitea: Gitea: Unauthorized branch deletion due to inadequate permission enforcement", "id": "2425461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425461"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68940", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T02:14:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68940\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68940\nhttps://blog.gitea.com/release-of-1.22.5/\nhttps://github.com/go-gitea/gitea/pull/32654\nhttps://github.com/go-gitea/gitea/releases/tag/v1.22.5"], "statement": "This vulnerability is rated Low for Red Hat OpenShift Pipelines. The flaw in Gitea, integrated with OpenShift Pipelines, allows a low-privileged attacker to delete branches without proper authorization after a pull request is merged. This could compromise the integrity and history of affected repositories.", "threat_severity": "Low"}