GHSA-f85h-c7m6-cfpm

Suggest an improvement
Source
https://github.com/advisories/GHSA-f85h-c7m6-cfpm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-f85h-c7m6-cfpm/GHSA-f85h-c7m6-cfpm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f85h-c7m6-cfpm
Aliases
Published
2025-12-26T06:30:27Z
Modified
2026-01-01T12:25:53.416374Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
Details

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed_at": "2025-12-26T19:30:16Z",
    "cwe_ids": [
        "CWE-441"
    ],
    "nvd_published_at": "2025-12-26T04:15:41Z",
    "github_reviewed": true
}
References

Affected packages

Go / code.gitea.io/gitea

Package

Name
code.gitea.io/gitea
View open source insights on deps.dev
Purl
pkg:golang/code.gitea.io/gitea

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.22.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-f85h-c7m6-cfpm/GHSA-f85h-c7m6-cfpm.json"