Gitea has released version 1.25.2 with critical security fixes that all users should install immediately. The update addresses multiple permission vulnerabilities and information leakage issues in the open source, self-hosted Git service.
The release fixes several authentication and access control problems, including permission validation for deleting releases, branch protection checks during pull request rebases, and permission checks for issue dependencies. Gitea also unified error messages for non-existing users and invalid passwords to prevent attackers from discovering which accounts exist on a server. Draft releases are now properly hidden from users without write access, and the API no longer leaks email addresses through signature data.
The update includes a dependency upgrade to golang.org/x/crypto version 0.45.0, which patches the critical security vulnerability GO-2025-4134. The release incorporates 23 merged pull requests and additional bug fixes for container registry operations, external content rendering, and user interface elements.
Gitea 1.25.2 is available now from the official downloads page, with pre-built binaries for multiple platforms. Users can find installation and upgrade instructions in the project documentation.