CVE-2025-68939: Gitea allows attackers to add attachments with forbidden file extensions

December 26, 2025

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

References

blog.gitea.com/release-of-1.23.0
github.com/advisories/GHSA-263q-5cv3-xq9g
github.com/go-gitea/gitea
github.com/go-gitea/gitea/pull/32151
github.com/go-gitea/gitea/releases/tag/v1.23.0
nvd.nist.gov/vuln/detail/CVE-2025-68939

Code Behaviors & Features

Detect and mitigate CVE-2025-68939 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →