Description
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Problem types
Product status
Any version before 1.25.5
Credits
Aisle Research
References
github.com/go-gitea/gitea/pull/36462 (GitHub Pull Request #36462)
github.com/go-gitea/gitea/pull/36477 (GitHub Pull Request #36477)
github.com/go-gitea/gitea/releases/tag/v1.25.5 (Gitea v1.25.5 Release)
blog.gitea.com/release-of-1.25.5/ (Gitea v1.25.5 Release Blog Post)