4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68941

CVE-2025-68941: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68941

CVE-2025-68941:

4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
code.gitea.io/gitea	go	< 1.22.3	1.22.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Gitea's API authorization logic, which failed to consistently enforce token scopes intended to restrict access to public resources only. The core of the issue was an incomplete and fragmented implementation of the scope-checking mechanism.

The initial implementation, primarily within the reqToken and tokenRequiresScopes functions in routers/api/v1/api.go, only partially handled the public-only restriction, with checks limited to repositories and organizations. Other resources like packages, issues, and users were not covered, allowing a user with a public-only scoped API token to access private resources of these types.

Furthermore, several API endpoint functions responsible for searching or listing resources (e.g., SearchIssues, Search for repos, GetAll for orgs) did not correctly filter their results based on the token's scope. They would often return private or limited-visibility resources as long as the user was authenticated, ignoring the more restrictive scope of the token being used.

The patch addresses this vulnerability by introducing a centralized and more robust checking mechanism. A new middleware, checkTokenPublicOnly, is created to perform a comprehensive check across all relevant resource types. This middleware is then applied to all applicable API routes. The APIContext is enhanced with a PublicOnly boolean flag, which is set by the tokenRequiresScopes function and used by the new middleware and the endpoint functions themselves to correctly filter data. This ensures that any request made with a public-only token is properly restricted to accessing only public resources across the entire API surface.

Vulnerable functions

reqPackageAccess

routers/api/packages/api.go

The function `reqPackageAccess` did not check if the API token used for authentication had a scope limited to public resources. This allowed an attacker with a public-only token to access private packages. The patch adds a check to verify the token's scope and denies access to private packages if the scope is restricted to public resources.

reqToken

routers/api/v1/api.go

The `reqToken` function contained incomplete and flawed logic to enforce public-only token scopes. It only performed checks for repositories and organizations, leaving other resources like issues, packages, and users exposed. An attacker could use a public-only token to access these private resources. The patch removes this inadequate logic and replaces it with a more robust middleware-based approach.

GetAll

routers/api/v1/org/org.go

The `GetAll` function for listing organizations did not correctly filter out organizations with 'limited' visibility when a public-only token was used. It would include them as long as the user was signed in, ignoring the token's scope. The patch corrects this by adding a check for `ctx.PublicOnly`, ensuring that only public organizations are returned for such tokens.

SearchIssues

routers/api/v1/repo/issue.go

The `SearchIssues` function failed to restrict issue searches to public repositories when a public-only token was provided. It would incorrectly include issues from private repositories in the search results. The patch fixes this by setting the 'Private' search option based on the `ctx.PublicOnly` flag, effectively filtering out private issues for public-only tokens.

Search

routers/api/v1/repo/repo.go

The `Search` function for repositories did not enforce the public-only token scope, allowing searches to include private repositories. The patch introduces logic to check the `ctx.PublicOnly` flag and explicitly sets the search to non-private if the flag is true, preventing private repository data from being leaked.

Search

routers/api/v1/user/user.go

The `Search` function for users did not filter results based on the user's visibility when a public-only token was used. This could lead to the disclosure of information about non-public users. The patch addresses this by adding a 'Visible' filter to the search options, restricting the search to public users when `ctx.PublicOnly` is true.

tokenRequiresScopes

routers/api/v1/api.go

The `tokenRequiresScopes` function was responsible for parsing token scopes but did so in a flawed manner. It only set context data for repository and organization scopes, failing to properly signal the public-only restriction for other resource types. This incomplete implementation was a root cause of the authorization bypass in various API endpoints. The patch refactors this function to set a single, clear `PublicOnly` flag in the context, which is then used consistently by other functions and middleware.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68941: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

CVE-2025-68941:

4.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-68941: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

4.9

4.9

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI