Primary

Context

Gitea Repository Ownership Validation Vulnerability in Git LFS Lock Deletion

Vulnerability

Patched

A vulnerability exists in Gitea's handling of Git Large File Storage (LFS) locks, specifically regarding the validation of repository ownership during the deletion process. Users with write access to a repository may inadvertently or intentionally delete LFS locks from other repositories, leading to potential disruption in version control and file management.

Impact

Exploitation of this vulnerability allows for improper deletion of LFS locks, which can disrupt the workflow and file management in repositories.

Reproduction

To reproduce this vulnerability, a user with write access to a repository can attempt to delete LFS locks. The lack of proper ownership validation may allow them to remove locks from other repositories, not just their own.

Remediation

Users can upgrade to Gitea version 1.25.4, where this vulnerability has been addressed.

Added: Jan 22, 2026, 10:22 PM

Updated: Jan 22, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Repository Ownership Validation Vulnerability in Git LFS Lock Deletion

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating