CVE-2025-68937 - Vulnerability Details

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Forgejo	Forgejo

No data.

References

Link	Providers
https://blog.gitea.com/release-of-1.24.7/
https://codeberg.org/forgejo/forgejo/milestone/27340
https://codeberg.org/forgejo/forgejo/milestone/29156
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md
https://codeberg.org/forgejo/security-announcements/issues/43

History

Fri, 26 Dec 2025 01:15:00 +0000

Type	Values Removed	Values Added
References		https://blog.gitea.com/release-of-1.24.7/

Fri, 26 Dec 2025 00:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Forgejo Forgejo forgejo
CPEs		cpe:2.3:a:forgejo:forgejo::::::::
Vendors & Products		Forgejo Forgejo forgejo
Metrics		cvssV4_0 `{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Fri, 26 Dec 2025 00:00:00 +0000

Type	Values Removed	Values Added
Description		Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Weaknesses		CWE-61
References		https://codeberg.org/forgejo/forgejo/milestone/27340 https://codeberg.org/forgejo/forgejo/milestone/29156 https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md https://codeberg.org/forgejo/security-announcements/issues/43

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-25T23:57:30.456Z

Updated: 2025-12-26T01:00:13.916Z

Reserved: 2025-12-25T23:57:30.203Z

Link: CVE-2025-68937

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-26T00:16:01.173

Modified: 2025-12-26T01:15:58.833

Link: CVE-2025-68937

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object