VYPR
← All advisories
High severityNVD Advisory· Published Feb 5, 2021· Updated Aug 3, 2024

CVE-2021-3382

CVE-2021-3382

Description

Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack buffer overflow in Gitea 1.9.0–1.13.1 allows remote attackers to cause a denial of service via a crafted file path.

Vulnerability

CVE-2021-3382 is a stack buffer overflow vulnerability in Gitea versions 1.9.0 through 1.13.1. The root cause is the incorrect use of filepath instead of path in the routers/editor module, which can lead to a stack overflow when processing file paths [2].

Exploitation

The vulnerability can be triggered remotely by an attacker sending a specially crafted file path to the affected Gitea instance. Based on the fix, this issue is particularly exploitable on Windows systems [2]. No authentication is required for the attack.

Impact

Successful exploitation results in a stack buffer overflow, causing the Gitea application to crash, leading to a denial of service [3].

Mitigation

The issue was fixed in pull request #14390, which replaces filepath with path [2]. Users are advised to update to the latest version of Gitea that includes this patch.

References
  1. Use path not filepath in routers/editor by zeripath · Pull Request #14390 · go-gitea/gitea
  2. NVD - CVE-2021-3382

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-gitea/giteaGo
>= 1.9.0, < 1.13.21.13.2

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.