Primary

Context

Gitea Attachment API File Extension Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Gitea versions prior to 1.23.0 allows users to upload attachments with disallowed file extensions by manipulating the attachment name through the attachment API. This issue arises because the API did not properly enforce file extension restrictions, enabling the upload of forbidden file types.

Impact

Exploitation of this vulnerability could lead to the upload of malicious files that are not allowed by the server's file extension policies, potentially causing harm if those files are executed or processed by the application.

Reproduction

To reproduce this vulnerability, upload an attachment through the attachment API while editing the attachment name to include a forbidden file extension. The server will accept the upload despite the disallowed extension.

Remediation

Users can update to Gitea version 1.23.0 or later, where this vulnerability has been addressed.

Added: Dec 26, 2025, 3:20 AM

Updated: Dec 26, 2025, 3:20 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Attachment API File Extension Bypass Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating