x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-cm54-pfmc-xrwx

[GoVulnBot]

Advisory GHSA-cm54-pfmc-xrwx references a vulnerability in the following Go modules:

Module
code.gitea.io/gitea

Description:
Gitea before 1.25.2 mishandles authorization for deletion of releases.

References:

• ADVISORY: GHSA-cm54-pfmc-xrwx
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-68938
• FIX: go-gitea/gitea@d426213#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d
• WEB: https://blog.gitea.com/release-of-1.25.2
• WEB: https://github.com/go-gitea/gitea/releases/tag/v1.25.2

Cross references:

• code.gitea.io/gitea appears in 20 other report(s):
  • data/reports/GO-2022-0310.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45327 #310)
  • data/reports/GO-2022-0315.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45331 #315)
  • data/reports/GO-2022-0353.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-29134 #353)
  • data/reports/GO-2022-0442.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-27313 #442)
  • data/reports/GO-2022-0450.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-30781 #450)
  • data/reports/GO-2022-0609.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-jr9c-h74f-2v28 #609)
  • data/reports/GO-2022-0612.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-ph3w-2843-72mx #612)
  • data/reports/GO-2022-0830.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-g2qx-6ghw-67hm #830)
  • data/reports/GO-2022-0832.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-g95p-88p4-76cm #832)
  • data/reports/GO-2022-0844.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-hf6f-jq25-8gq9 #844)
  • data/reports/GO-2022-0982.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: CVE-2021-45330, GHSA-pg38-r834-g45j #982)
  • data/reports/GO-2022-1065.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-42968 #1065)
  • data/reports/GO-2023-1894.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-cf6v-9j57-v6r6 #1894)
  • data/reports/GO-2023-1922.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-5rh7-6gfj-mc87 #1922)
  • data/reports/GO-2023-1971.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-fg3x-rwq9-74cw #1971)
  • data/reports/GO-2023-1999.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-38795 #1999)
  • data/reports/GO-2024-2752.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-4rqq-rxvc-v2rc #2752)
  • data/reports/GO-2024-2757.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-9f8c-pfvv-p4gm #2757)
  • data/reports/GO-2024-2769.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-fhv8-m4j4-cww2 #2769)
  • data/reports/GO-2024-3056.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2024-6886 #3056)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: code.gitea.io/gitea
      versions:
        - fixed: 1.25.2
      vulnerable_at: 1.25.1
summary: Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
cves:
    - CVE-2025-68938
ghsas:
    - GHSA-cm54-pfmc-xrwx
references:
    - advisory: https://github.com/advisories/GHSA-cm54-pfmc-xrwx
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-68938
    - fix: https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d
    - web: https://blog.gitea.com/release-of-1.25.2
    - web: https://github.com/go-gitea/gitea/releases/tag/v1.25.2
source:
    id: GHSA-cm54-pfmc-xrwx
    created: 2025-12-26T19:01:02.878779871Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/733241 mentions this issue: data/reports: add 13 reports