CVE-2026-28705 ‒ Arbitrary File Write via Path Traversal in Gitea dump-repo Command

Description¶

Gitea is an open-source self-hosted Git service. In versions prior to 1.25.5, the dump-repo CLI command is vulnerable to a path traversal attack allowing arbitrary file writes with attacker-controlled content.

Vulnerability¶

The function at dump.go:296 builds the local file path for a release asset using the asset name returned by the remote, attacker-controlled API without sanitisation:

attachLocalPath := filepath.Join(attachDir, asset.Name) // line 296
filepath.Join(g.baseDir, attachLocalPath)                // line 327
fw, err := os.Create(attachPath)                         // line 319

attachDir is derived from the release tag (e.g. release_assets/v1.0). If the remote server returns an asset.Name such as ../../../../../etc/cron.daily/backdoor, filepath.Join resolves the traversal, creating the file outside the intended dump directory with attacker-controlled content.

The entry point is DumpRepository (dump.go:649), called by the gitea dump-repo command. This bug cannot be triggered through the web UI because the web-based repository migration uses GiteaLocalUploader that stores attachments by UUID and never uses the remote asset name in the local file path.

The attacker must control a Gitea instance that the victim connects to via gitea dump-repo --clone_addr <attacker-url>. Possible attack scenarios include social engineering (tricking a developer into running the command against a malicious server), a compromised third-party Gitea instance, or a man-in-the-middle attack on an unencrypted connection. Depending on the permissions of the user running the command, the arbitrary file write can lead to remote code execution (e.g. by writing a cronjob or overwriting authorized_keys).

Mitigations¶

Update to Gitea version 1.25.5 or later.

Timeline¶

References¶

• CVE record
• Fix commit
• Gitea 1.25.5 release notes