CVE-2025-68937 | THREATINT

Description

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

PUBLISHED Reserved 2025-12-25 | Published 2025-12-25 | Updated 2025-12-26 | Assigner mitre

CRITICAL: 9.5CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-61 UNIX Symbolic Link (Symlink) Following

Product status

Default status

unaffected

12.0.0 (semver) before 13.0.2

affected

Any version before 11.0.7

affected

References

codeberg.org/...ch/forgejo/release-notes-published/13.0.2.md

codeberg.org/...ch/forgejo/release-notes-published/11.0.7.md

codeberg.org/forgejo/forgejo/milestone/29156

codeberg.org/forgejo/forgejo/milestone/27340

codeberg.org/forgejo/security-announcements/issues/43

blog.gitea.com/release-of-1.24.7/

cve.org (CVE-2025-68937)

nvd.nist.gov (CVE-2025-68937)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.

help @ threatint.eu