CVE-2025-68937
9.5
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Forgejo | Forgejo | 12.0.0 < 13.0.2 | affected |
| Forgejo | Forgejo | 0 < 11.0.7 | affected |
Weaknesses
- CWE-61: CWE-61 UNIX Symbolic Link (Symlink) Following
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md
- https://codeberg.org/forgejo/forgejo/milestone/29156
- https://codeberg.org/forgejo/forgejo/milestone/27340
- https://codeberg.org/forgejo/security-announcements/issues/43
- https://blog.gitea.com/release-of-1.24.7/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.