x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-xfq3-qj7j-4565

[GoVulnBot]

Advisory GHSA-xfq3-qj7j-4565 references a vulnerability in the following Go modules:

Module
code.gitea.io/gitea

Description:
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

References:

• ADVISORY: GHSA-xfq3-qj7j-4565
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-68941
• FIX: Fix bug when a token is given public only (#32204) go-gitea/gitea#32218
• WEB: https://blog.gitea.com/release-of-1.22.3
• WEB: https://github.com/go-gitea/gitea/releases/tag/v1.22.3

Cross references:

• code.gitea.io/gitea appears in 20 other report(s):
  • data/reports/GO-2022-0310.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45327 #310)
  • data/reports/GO-2022-0315.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45331 #315)
  • data/reports/GO-2022-0353.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-29134 #353)
  • data/reports/GO-2022-0442.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-27313 #442)
  • data/reports/GO-2022-0450.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-30781 #450)
  • data/reports/GO-2022-0609.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-jr9c-h74f-2v28 #609)
  • data/reports/GO-2022-0612.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-ph3w-2843-72mx #612)
  • data/reports/GO-2022-0830.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-g2qx-6ghw-67hm #830)
  • data/reports/GO-2022-0832.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-g95p-88p4-76cm #832)
  • data/reports/GO-2022-0844.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-hf6f-jq25-8gq9 #844)
  • data/reports/GO-2022-0982.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: CVE-2021-45330, GHSA-pg38-r834-g45j #982)
  • data/reports/GO-2022-1065.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-42968 #1065)
  • data/reports/GO-2023-1894.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-cf6v-9j57-v6r6 #1894)
  • data/reports/GO-2023-1922.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-5rh7-6gfj-mc87 #1922)
  • data/reports/GO-2023-1971.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-fg3x-rwq9-74cw #1971)
  • data/reports/GO-2023-1999.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-38795 #1999)
  • data/reports/GO-2024-2752.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-4rqq-rxvc-v2rc #2752)
  • data/reports/GO-2024-2757.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-9f8c-pfvv-p4gm #2757)
  • data/reports/GO-2024-2769.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-fhv8-m4j4-cww2 #2769)
  • data/reports/GO-2024-3056.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2024-6886 #3056)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: code.gitea.io/gitea
      versions:
        - fixed: 1.22.3
      vulnerable_at: 1.22.2
summary: |-
    Gitea mishandles access to a private resource upon receiving an API token with
    scope limited to public resources in code.gitea.io/gitea
cves:
    - CVE-2025-68941
ghsas:
    - GHSA-xfq3-qj7j-4565
references:
    - advisory: https://github.com/advisories/GHSA-xfq3-qj7j-4565
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-68941
    - fix: https://github.com/go-gitea/gitea/pull/32218
    - web: https://blog.gitea.com/release-of-1.22.3
    - web: https://github.com/go-gitea/gitea/releases/tag/v1.22.3
source:
    id: GHSA-xfq3-qj7j-4565
    created: 2025-12-26T20:01:10.404720119Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/733241 mentions this issue: data/reports: add 13 reports