CVE-2025-65852

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4

Description A critical authorization bypass exists in the Gogs repository deletion API. The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation, allowing any authenticated user with read access, including read-only collaborators, to delete entire repositories. This issue stems from the API route configuration utilizing only the repoAssignment() middleware, which verifies read access, without enforcing reqRepoOwner() or reqRepoAdmin(). The Delete() function itself also lacks additional permission checks. Exploitation results in the permanent deletion of the repository and all associated data, including source code, git history, issues, and wiki documentation. This is a broken access control issue.

Recommendations Versions prior to 0.13.4: Update to version 0.13.4 or later to address the authorization bypass. As a temporary workaround, restrict access to the vulnerable API endpoint '/api/v1/repos/:owner/:repo' to users with appropriate administrative privileges.