{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-68971", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-17T20:47:45.452Z", "dateReserved": "2025-12-27T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T15:42:35.412Z"}, "descriptions": [{"lang": "en", "value": "In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://codeberg.org/forgejo/forgejo"}, {"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973"}, {"url": "https://zenodo.org/records/18945481"}, {"url": "https://zenodo.org/records/19058493"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T20:47:41.302245Z", "id": "CVE-2025-68971", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T20:47:45.452Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68971", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T20:47:41.302245Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:23:12.702Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://codeberg.org/forgejo/forgejo"}, {"url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973"}, {"url": "https://zenodo.org/records/18945481"}, {"url": "https://zenodo.org/records/19058493"}], "descriptions": [{"lang": "en", "value": "In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T15:42:35.412Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68971", "state": "PUBLISHED", "dateUpdated": "2026-03-17T20:47:45.452Z", "dateReserved": "2025-12-27T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release)."}, {"lang": "es", "value": "En Forgejo hasta la versi\u00f3n 13.0.3, el componente de adjuntos permite una denegaci\u00f3n de servicio al subir un archivo adjunto de varios gigabytes (por ejemplo, para asociarlo con una incidencia o una versi\u00f3n)."}], "id": "CVE-2025-68971", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T20:16:14.863", "references": [{"source": "cve@mitre.org", "url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973"}, {"source": "cve@mitre.org", "url": "https://codeberg.org/forgejo/forgejo"}, {"source": "cve@mitre.org", "url": "https://zenodo.org/records/18945481"}, {"source": "cve@mitre.org", "url": "https://zenodo.org/records/19058493"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "forgejo: Forgejo: Denial of Service via large file attachment upload", "id": "2448387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448387"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Forgejo. A remote attacker could exploit this vulnerability in the attachment component by uploading a multi-gigabyte file attachment, such as to an issue or a release. This could lead to a Denial of Service (DoS), making the service unavailable to legitimate users."], "name": "CVE-2025-68971", "public_date": "2026-03-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68971\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68971\nhttps://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973\nhttps://codeberg.org/forgejo/forgejo\nhttps://zenodo.org/records/18945481\nhttps://zenodo.org/records/19058493"], "statement": "This MODERATE vulnerability in Forgejo allows authenticated users to cause denial of service by uploading excessively large file attachments. Exploitation requires low privileges (valid account) and is network-accessible. Impact is high availability loss due to resource exhaustion. Affects Forgejo through version 13.0.3.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,13.0.3]"}}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "forgejo", "vendor": "forgejo"}], "analysis": {"en": {"generated_at": "2026-03-18T13:21:09.168007+00:00", "value": {"mitigation_remediation": ["Check the Forgejo project or community repositories for an updated release that addresses the attachment upload denial of service.", "If no patch is available, configure the Forgejo instance to enforce a maximum upload file size that is well below the multi\u2011gigabyte threshold.", "Monitor application logs for unusually large upload attempts and block or quarantine offending users.", "Verify that the server\u2019s operating system and file system have adequate quotas or disk usage limits to prevent resource exhaustion."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Forgejo source\u2011code collaborative platform. No explicit vendor or product name list is provided; the only version information available identifies affected releases as up to and including 13.0.3. Users of later versions are not known to be impacted.", "description_and_impact": "Forgejo versions up through 13.0.3 include an attachment component that accepts user uploads. An attacker can upload a multi\u2011gigabyte file as an issue or release attachment, causing the application to consume excessive disk and memory resources. This resource exhaustion leads to a denial of service for all users. The weakness is characterized by CWE\u2011400 (Uncontrolled Resource Consumption) and CWE\u2011770 (Allocation of Resources without Limits).", "risk_and_exploitability": "The CVSS base score is 6.5, placing the issue in the moderate severity range. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack is inferred to require authenticated access to create an attachment, as uploads are typically performed by logged\u2011in users. The lack of a publicly documented exploit and the low exploitation probability suggest a modest but tangible risk to systems that allow large file uploads without size restrictions."}}}}, "created": "2026-03-17T09:55:26.336606+00:00", "updated": "2026-03-23T14:01:03.067937+00:00", "vendors": ["forgejo", "forgejo$PRODUCT$forgejo"]}