Forgejo Security Release 1.21.6-0

Forgejo v1.21.6-0 was released 22 February 2024.

This release contains a security fix related to Cross-site scripting (XSS) vulnerabilities that can be exploited by registered Forgejo users.

Recommended Action

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

Cross-site scripting (XSS) vulnerability

The Cross-site scripting (XSS) vulnerabilities can be exploited by a registered Forgejo user.

In some situations where a repository or user name contains HTML scripts, those values are not always properly escaped, thus leading to an XSS attack. For instance when:

• Migrating a repository
• Publishing content in the wiki
• Creating a repository on first push

It allows the attacker to inject a client-side script targetting visitors browsing a repository being migrated, the repository settings or the wiki. Note that the repository settings are only visible to repository admins.

Responsible disclosure to Gitea

On 22 January 2024, the Forgejo security team identified multiple Cross-site scripting (XSS) vulnerabilities could be exploited by registered Forgejo users, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.21 point release could be published.

On 14 February 2024, Gitea published a pull request that fixes the vulnerability, before the end of the requested embargo. It is embedded in a large refactor and not labeled to be security related but to a trained eye, this does catch attention.

On 17 February 2024, the Gitea security team privately sent a patch that fixes an additional XSS vulnerability.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!