Vulnerability Description
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Related Weaknesses (CWE)
References
- https://blog.gitea.com/release-of-1.24.7/
- https://codeberg.org/forgejo/forgejo/milestone/27340
- https://codeberg.org/forgejo/forgejo/milestone/29156
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/
- https://codeberg.org/forgejo/security-announcements/issues/43
FAQ
What is CVE-2025-68937?
CVE-2025-68937 is a documented vulnerability. Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories...
How severe is CVE-2025-68937?
CVSS scoring is not yet available for CVE-2025-68937. Check NVD for updates.
Is there a patch for CVE-2025-68937?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.