CVE-2025-69413: Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists

January 1, 2026 (updated January 2, 2026)

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

References

blog.gitea.com/release-of-1.25.2
github.com/advisories/GHSA-pc73-rj2c-wvf9
github.com/go-gitea/gitea
github.com/go-gitea/gitea/issues/35984
github.com/go-gitea/gitea/pull/36002
github.com/go-gitea/gitea/releases/tag/v1.25.2
nvd.nist.gov/vuln/detail/CVE-2025-69413

Code Behaviors & Features

Detect and mitigate CVE-2025-69413 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →