CVE-2021-45325
Description
Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Server Side Request Forgery in Gitea prior to 1.7.0 via OpenID URL can expose internal network information.
Vulnerability
A Server Side Request Forgery (SSRF) vulnerability exists in Gitea before version 1.7.0 when using OpenID URLs. If no WHITELIST_URIS or BLACKLIST_URIS are configured in the openid section of app.ini, the raw error message from a failed OpenID request may reveal sensitive information about the local network [2][3][4].
Exploitation
An attacker can provide a malicious OpenID URL to a Gitea instance. If the server attempts to fetch that URL and the request fails (e.g., due to a connection timeout or invalid response), the raw error message is displayed in the UI, potentially leaking internal network details. No authentication is required to trigger this behavior [3][4].
Impact
Successful exploitation results in information disclosure. The attacker can gain knowledge about the internal network structure, services, and potentially other sensitive data through the error messages [2].
Mitigation
Upgrade to Gitea version 1.7.0 or later, which was released in January 2019 and includes a fix that hides the raw error and logs it instead [3][4]. As a workaround, administrators can set WHITELIST_URIS or BLACKLIST_URIS in the openid section of app.ini to restrict allowed OpenID providers [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.7.0 | 1.7.0 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.7.0+ 1 more
- (no CPE)range: < 1.7.0
- (no CPE)range: < 1.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-8h8p-x289-vvqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45325ghsaADVISORY
- blog.gitea.io/2019/01/gitea-1.7.0-is-releasedghsaWEB
- blog.gitea.io/2019/01/gitea-1.7.0-is-released/mitrex_refsource_MISC
- github.com/go-gitea/gitea/issues/4973ghsaWEB
- github.com/go-gitea/gitea/pull/5705ghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/pull/5712ghsaWEB
News mentions
0No linked articles in our index yet.