Description
In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
Published: 2026-03-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Forgejo versions up through 13.0.3 include an attachment component that accepts user uploads. An attacker can upload a multi‑gigabyte file as an issue or release attachment, causing the application to consume excessive disk and memory resources. This resource exhaustion leads to a denial of service for all users. The weakness is characterized by CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Allocation of Resources without Limits).

Affected Systems

The vulnerability affects the Forgejo source‑code collaborative platform. No explicit vendor or product name list is provided; the only version information available identifies affected releases as up to and including 13.0.3. Users of later versions are not known to be impacted.

Risk and Exploitability

The CVSS base score is 6.5, placing the issue in the moderate severity range. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack is inferred to require authenticated access to create an attachment, as uploads are typically performed by logged‑in users. The lack of a publicly documented exploit and the low exploitation probability suggest a modest but tangible risk to systems that allow large file uploads without size restrictions.

Generated by OpenCVE AI on March 18, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Forgejo project or community repositories for an updated release that addresses the attachment upload denial of service.
  • If no patch is available, configure the Forgejo instance to enforce a maximum upload file size that is well below the multi‑gigabyte threshold.
  • Monitor application logs for unusually large upload attempts and block or quarantine offending users.
  • Verify that the server’s operating system and file system have adequate quotas or disk usage limits to prevent resource exhaustion.

Generated by OpenCVE AI on March 18, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title forgejo: Forgejo: Denial of Service via large file attachment upload
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Forgejo
Forgejo forgejo
Vendors & Products Forgejo
Forgejo forgejo

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
References

Subscriptions

Forgejo Forgejo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-17T20:47:45.452Z

Reserved: 2025-12-27T00:00:00.000Z

Link: CVE-2025-68971

cve-icon Vulnrichment

Updated: 2026-03-17T15:23:12.702Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T20:16:14.863

Modified: 2026-03-17T21:16:18.823

Link: CVE-2025-68971

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-16T00:00:00Z

Links: CVE-2025-68971 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:03Z

Weaknesses