CVE-2026-28705 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability in Gitea versions prior to 1.25.5 represents a critical path traversal flaw that arises from improper handling of release tag names and asset names within the file system. The issue stems from how the application constructs file system paths when dumping release assets, where user-controllable input directly influences directory structure creation without adequate sanitization or validation. When malicious actors craft release tags or asset names containing path traversal sequences such as ../ or ..\, these components become integral parts of the actual file system paths used during asset dumping operations. This design flaw allows attackers to manipulate the destination directory structure and potentially write files outside of intended boundaries, creating a significant security risk for repository owners and administrators.

The technical implementation of this vulnerability occurs at the file system abstraction layer where release metadata is processed without proper input validation or path normalization. CWE-23 Path Traversal in Directory Name represents the underlying weakness category, as the application fails to properly sanitize user-provided names that are subsequently used to construct file paths. The operational impact extends beyond simple directory manipulation since this vulnerability can enable attackers to overwrite critical system files, inject malicious content into repository assets, or potentially escalate privileges if the application runs with elevated permissions. Attackers could leverage this weakness to place malicious binaries in unexpected locations within the file system hierarchy, creating persistent backdoors or disrupting normal application functionality.

From an attack perspective, this vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter where attackers might exploit path traversal to execute arbitrary code through manipulated asset files. The vulnerability is particularly dangerous in environments where Gitea serves as a central repository for software releases, as it could allow unauthorized modification of release artifacts that are subsequently downloaded by end users. Organizations using Gitea for hosting critical software distributions face heightened risk since compromised release assets could lead to supply chain attacks affecting downstream consumers. The impact on system integrity is compounded when considering that release assets often contain executables or libraries that users trust and execute without additional verification, making this vulnerability a prime target for attackers seeking persistent access or data compromise.

The recommended mitigation strategy involves upgrading to Gitea version 1.25.5 or later where the issue has been addressed through proper input sanitization and path validation mechanisms. Administrators should also implement additional controls such as restricting release creation permissions, monitoring asset uploads for suspicious naming patterns, and regularly auditing file system access logs for unusual directory structures. Input validation should enforce strict naming conventions that reject characters or sequences commonly used in path traversal attacks, while output encoding ensures that special characters are properly escaped when constructing file paths. Organizations should also consider implementing principle of least privilege when running Gitea processes, limiting the application's ability to write to sensitive system directories and isolating repository asset storage in dedicated secure environments.

Responsible

Gitea

Reservation

03/03/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!