Arbitrary file deletion in Gitea in go-gitea/gitea


Reported on

Mar 12th 2022


When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server.

Proof of Concept

Create a repository on Gitea. (e.g. foo/bar)

Send a POST request with your Gitea cookies and set CSRF token in request body.

POST /foo/bar/settings/lfs/delete/....%2fcustom%2fconf%2fapp.ini

The Gitea configuration custom/conf/app.ini has been deleted.


This vulnerability is capable of deleting the files on the server, which allows the attacker to make the service unavailable. With deleting the Gitea configuration file, the attacker can reinstall the entire program after restarting.

We are processing your report and will contact the go-gitea/gitea team within 24 hours. 2 years ago
We have contacted a member of the go-gitea/gitea team and are waiting to hear back 2 years ago
We have sent a follow up to the go-gitea/gitea team. We will try again in 4 days. 2 years ago
go-gitea/gitea maintainer
2 years ago


Thanks for this report, we've resolved this in

We are writing the blog post right and and will be crediting your username (and too), please let us know if you'd prefer a different credit other than your username.

2 years ago


Thanks. Could you please use E99p1ant as the credit name? And here is my GitHub profile:

go-gitea/gitea maintainer has acknowledged this report 2 years ago
zeripath validated this vulnerability 2 years ago
wuhan005 has been awarded the disclosure bounty
The fix bounty is now up for grabs
zeripath marked this as fixed in 1.16.4 with commit 49db87 2 years ago
The fix bounty has been dropped
2 years ago


Hi, I noticed that the blog post has been released. It seems like my username is missing in the post. 😂

go-gitea/gitea maintainer
2 years ago

Maintainer will fix that.

to join this conversation