Impact
Gitea versions prior to 1.25.5 perform a lookup of tracked‑time entries solely by the time identifier, failing to constrain the lookup to the issue specified in the request URL. This flaw allows a user to issue a deletion request that targets a tracked‑time entry belonging to a different issue, effectively removing data that may be outside the user’s intended scope. The vulnerability is a classic authorization bypass and is represented by CWE‑639. If leveraged, an attacker could erase time tracking information, disrupt project reporting, and compromise data integrity for multiple issues across the repository. There is no evidence of a public exploit, the EPSS score is < 1 %, and the CVE is not listed in the CISA KEV catalog. The lack of a CVSS score and exploit data suggests the risk is primarily tied to privilege misuse in an authenticated context, but without a publicly known exploit it remains a moderate to high risk for organizations using pre‑1.25.5 Gitea deployments and relying on tracked‑time data for accountability or billing.
Affected Systems
All releases of Gitea Open Source Git Server before version 1.25.5 are affected. This includes every publicly available open‑source release of the Gitea Git server that lacks the patch applied in version 1.25.5 and later, regardless of the deployment environment.
Risk and Exploitability
The vulnerability can be exercised through the tracked‑time deletion API or web interface by providing a time ID that points to an entry belonging to a different issue. Because the lookup is not scoped to the issue in the request URL, a user who can delete tracked‑time entries for one issue can delete entries for any other issue, assuming they have chosen a valid time identifier. This constitutes an authorization bypass that allows a malicious authenticated user to tamper with time tracking data across the repository. The CVE data does not include a CVSS score, and the EPSS score is < 1 %, but the absence of a published exploit and the lack of KEV listing suggest the exploitation likelihood is moderate. Nevertheless, the impact on data integrity and accountability can be significant for organizations that rely on tracked‑time for billing or reporting, so the overall risk is considered moderate to high.
OpenCVE Enrichment