Primary

Context

Gitea Token Scope Mismanagement Vulnerability in Package Registry Access Control

Vulnerability

Patched

A vulnerability exists in Gitea versions prior to 1.22.2, where the application improperly manages the propagation of token scopes related to access control within certain package registries. This mismanagement can lead to unauthorized access or actions within the affected package registry.

Impact

Exploitation of this vulnerability could result in improper access control, allowing users to upload packages to registries without the necessary permissions.

Reproduction

The vulnerability can be reproduced by uploading a package to a registry that requires specific access permissions. If the upload is successful without the appropriate permissions, it demonstrates the mismanagement of token scopes.

Remediation

Users are advised to update to Gitea version 1.22.2, which addresses this vulnerability. Instructions for updating can be found in the Gitea installation guide.

Added: Dec 26, 2025, 4:18 AM

Updated: Dec 26, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Token Scope Mismanagement Vulnerability in Package Registry Access Control

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating