Gitea's Tattletale API: User Enumeration via Error Messages
Vulnerability ID: CVE-2025-69413
CVSS Score: 5.3
Published: 2026-01-01
A classic response discrepancy vulnerability in Gitea's API authentication logic allows unauthenticated attackers to enumerate valid usernames based on specific error messages.
TL;DR
Gitea versions prior to 1.25.2 respond differently to login attempts depending on whether the username exists or not. Attackers can use this 'oracle' to build a list of valid users, paving the way for targeted credential stuffing or social engineering attacks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-204
- Attack Vector: Network (API)
- CVSS Score: 5.3 (Medium)
- Impact: Information Disclosure
- Exploit Status: Trivial (Manual)
- Authentication: None Required
Affected Systems
- Gitea Self-Hosted Git Service
-
Gitea: < 1.25.2 (Fixed in:
1.25.2)
Exploit Details
- Manual: Manual verification using curl commands against the API.
Mitigation Strategies
- Update Gitea to the latest stable version.
- Implement rate limiting on authentication endpoints.
- Monitor logs for high volumes of 401 Unauthorized errors.
- Use Fail2Ban to block IPs probing multiple usernames.
Remediation Steps:
- Stop the Gitea service:
sudo systemctl stop gitea - Download the 1.25.2+ binary from the official Gitea release page.
- Replace the existing binary:
cp gitea-1.25.2-linux-amd64 /usr/local/bin/gitea - Ensure permissions are correct:
chmod +x /usr/local/bin/gitea - Restart the service:
sudo systemctl start gitea
References
Read the full report for CVE-2025-69413 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)