What is CVE-2025-69413?

CVE-2025-69413 is a publicly disclosed cybersecurity vulnerability with a MEDIUM severity rating and CVSS score of 5.3.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-69413

MEDIUM5.3/ 10.0

Published: January 1, 2026 at 05:16 AM

Modified: January 6, 2026 at 07:27 PM

Source: cve@mitre.org

Vulnerability Description

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

CVSS Metrics

Base Score

5.3

Severity

MEDIUM

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-204

Source: cve@mitre.org

AI Security Analysis

01 // Technical Summary

Gitea versions prior to 1.25.2 are vulnerable to a user enumeration attack. Attackers can leverage this vulnerability to determine the existence of valid usernames on a Gitea instance, which can then be used to facilitate credential stuffing or other attacks targeting user accounts. This information leakage allows for more targeted and effective attacks, significantly increasing the risk of unauthorized access.

02 // Vulnerability Mechanism

Step 1: Target Identification: The attacker identifies a Gitea instance running a vulnerable version (prior to 1.25.2).

Step 2: API Interaction: The attacker sends a series of requests to the /api/v1/user endpoint, attempting to authenticate with various usernames.

Step 3: Response Analysis: The attacker analyzes the responses received from the API for each username. Differences in the response (e.g., error messages, response times, HTTP status codes) indicate whether the username exists.

Step 4: Username Enumeration: Based on the response analysis, the attacker builds a list of valid usernames on the Gitea instance.

Step 5: Credential Stuffing/Attack: The attacker uses the enumerated usernames to attempt credential stuffing attacks, brute-force attacks, or other attacks targeting the identified accounts.

03 // Deep Technical Analysis

The vulnerability stems from a difference in the HTTP responses returned by the /api/v1/user endpoint in Gitea. When a user attempts to authenticate with an invalid username, the API returns a different error message (or potentially different response times) depending on whether the username exists in the system. This difference allows an attacker to enumerate valid usernames by systematically querying the API with different usernames and observing the response. The root cause is a lack of consistent error handling and response formatting across different authentication failure scenarios. Specifically, the code doesn't properly obfuscate the existence of a user during authentication failures, leading to information leakage.