CVE-2025-68937
CVE-2025-68937
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
Forgejo · ForgejoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://blog.gitea.com/release-of-1.24.7/https://codeberg.org/forgejo/forgejo/milestone/27340https://codeberg.org/forgejo/forgejo/milestone/29156https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.mdhttps://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.mdhttps://codeberg.org/forgejo/security-announcements/issues/43