CVE-2025-69413
5.30.04%
Gitea's Tattletale API: User Enumeration via Error Messages
Amit Schendel
Senior Security ResearcherJan 2, 2026·6 min read·23 visits
PoC Available
Executive Summary (TL;DR)
Gitea versions prior to 1.25.2 respond differently to login attempts depending on whether the username exists or not. Attackers can use this 'oracle' to build a list of valid users, paving the way for targeted credential stuffing or social engineering attacks.
A classic response discrepancy vulnerability in Gitea's API authentication logic allows unauthenticated attackers to enumerate valid usernames based on specific error messages.
Technical Appendix
CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
Gitea Self-Hosted Git Service
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Gitea Gitea | < 1.25.2 | 1.25.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-204 |
| Attack Vector | Network (API) |
| CVSS Score | 5.3 (Medium) |
| Impact | Information Disclosure |
| Exploit Status | Trivial (Manual) |
| Authentication | None Required |
MITRE ATT&CK Mapping
CWE-204
Observable Response Discrepancy
Observable Response Discrepancy
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered/reported
2025-02-04
Fix merged in PR #36002
2025-02-05
Gitea 1.25.2 released
2025-02-06