CVE-2026-27779
Gitea · Gitea Open Source Git Server
Gitea versions before 1.25.5 are vulnerable to canonical URL spoofing due to improper validation of forwarded-proto headers.
Executive summary
A vulnerability in Gitea allows attackers to spoof canonical URLs by injecting malformed forwarded-proto headers, potentially leading to unauthorized redirection or phishing risks.
Vulnerability
The application incorrectly handles forwarded-proto values when detecting the public URL of the server. An unauthenticated attacker can manipulate these headers to influence how the server generates canonical URLs, which could be used to redirect users to malicious sites or poison cache/link generation.
Business impact
While the CVSS score is 7.5, the primary risk involves the integrity of links generated by the server. An attacker could trick users into clicking malicious links that appear to originate from the legitimate Gitea instance, potentially leading to credential harvesting or the distribution of malicious content, damaging organizational trust.
Remediation
Immediate Action: Update the Gitea instance to version 1.25.5 or later.
Proactive Monitoring: Monitor access logs for anomalous requests containing unexpected or malformed headers, particularly those targeting URL generation or proxy-related headers.
Compensating Controls: Configure your reverse proxy (e.g., Nginx, HAProxy) to strip or sanitize X-Forwarded-Proto headers to ensure only trusted values are passed to the Gitea backend.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations hosting Gitea should prioritize the update to version 1.25.5 to prevent potential URL spoofing attacks. In addition to patching, ensuring that the reverse proxy is correctly configured to sanitize incoming headers provides a necessary layer of defense-in-depth against header injection attacks.