CVE-2025-69413

Gitea's Tattletale API: User Enumeration via Error Messages

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 2, 2026·6 min read·18 visits

Executive Summary (TL;DR)

Gitea versions prior to 1.25.2 respond differently to login attempts depending on whether the username exists or not. Attackers can use this 'oracle' to build a list of valid users, paving the way for targeted credential stuffing or social engineering attacks.

A classic response discrepancy vulnerability in Gitea's API authentication logic allows unauthenticated attackers to enumerate valid usernames based on specific error messages.

Official Patches

GiteaPull Request merging the unified error message fix.
GiteaRelease notes for Gitea 1.25.2.

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Gitea Self-Hosted Git Service

Affected Versions Detail

Product
Affected Versions
Fixed Version
Gitea
Gitea
< 1.25.21.25.2
AttributeDetail
CWE IDCWE-204
Attack VectorNetwork (API)
CVSS Score5.3 (Medium)
ImpactInformation Disclosure
Exploit StatusTrivial (Manual)
AuthenticationNone Required

MITRE ATT&CK Mapping

T1589.002Gather Victim Identity Information: Email Addresses
Reconnaissance
T1110.001Brute Force: Password Guessing
Credential Access
CWE-204
Observable Response Discrepancy

Observable Response Discrepancy

Known Exploits & Detection

ManualManual verification using curl commands against the API.

Vulnerability Timeline

Vulnerability discovered/reported
2025-02-04
Fix merged in PR #36002
2025-02-05
Gitea 1.25.2 released
2025-02-06