Impact
Gitea versions released before 1.25.5 suffer from insufficient permission checks when a user updates or rebases a pull‑request branch. The description implies that the flaw allows a user who is not supposed to alter the branch’s contents to succeed in doing so, opening a path for the introduction of malicious changes before a pull request is merged. Based on the nature of the vulnerability, it is inferred that such unauthorized changes could compromise code integrity, potentially affecting subsequent build or deployment pipelines, but the description does not explicitly mention code‑review or build impacts.
Affected Systems
The incorrect authorization logic applies to Gitea Open Source Git Server installations with a version older than 1.25.5. Any deployment running a prior release is susceptible because the flaw exists in the core logic that governs pull‑request branch updates.
Risk and Exploitability
The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog; the CVE data does not provide evidence of public exploitation. The flaw can be exploited by any authenticated user with pull‑request interaction rights who should not have permission to rebase or replace a pull‑request branch. This condition is inferred from the described permission model. Consequently, the risk remains significant, especially in environments with permissive contributor access or loosely controlled RBAC.
OpenCVE Enrichment