[ { "run_id": "gitea-livecheck-20260316", "system_id": "gitea", "advisory_id": "gitea--CVE-2025-68939", "repro_profile_id": "file-upload-generic", "verification_status": "blocked-artifact", "verification_mode": "real", "artifact_mode": "official-image", "target_env": "local-docker", "compose_services": [ "app" ], "baseline_refs": [], "attack_steps": [], "browser_refs": [], "browser_evidence": { "required": true, "present": false, "refs": [], "baseline_refs": [], "proof_refs": [], "baseline_title": null, "proof_title": null }, "container_log_refs": [], "request_log_refs": [], "compose_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316/compose/compose.yaml" ], "timeline": [ { "at": "2026-03-17T07:02:55+00:00", "step": "select-advisory", "status": "completed", "detail": "gitea--CVE-2025-68939" }, { "at": "2026-03-17T07:02:55+00:00", "step": "resolve-repro-profile", "status": "completed", "detail": "file-upload-generic" }, { "at": "2026-03-17T07:02:56+00:00", "step": "provision-compose-environment", "status": "blocked-artifact", "detail": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?" }, { "at": "2026-03-17T07:02:56+00:00", "step": "baseline-snapshot", "status": "skipped", "detail": "no baseline urls or provisioning blocked" }, { "at": "2026-03-17T07:02:56+00:00", "step": "browser-replay-before-attack", "status": "skipped", "detail": "baseline browser capture unavailable" }, { "at": "2026-03-17T07:02:56+00:00", "step": "controlled-attack-chain", "status": "skipped", "detail": "provisioning blocked" }, { "at": "2026-03-17T07:02:56+00:00", "step": "browser-replay-after-attack", "status": "skipped", "detail": "proof browser capture unavailable" }, { "at": "2026-03-17T07:02:56+00:00", "step": "collect-logs-and-evidence", "status": "skipped", "detail": "container_logs=0" }, { "at": "2026-03-17T07:02:56+00:00", "step": "update-registry-and-reports", "status": "completed", "detail": "gitea-livecheck-20260316" } ], "started_at": "2026-03-17T07:02:55+00:00", "finished_at": "2026-03-17T07:02:56+00:00", "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?", "report_refs": { "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316", "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316/report.md", "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316/report.html", "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316/timeline.mmd" }, "dashboard_refs": { "report_html": "/runs/gitea-livecheck-20260316/report.html", "report_md": "/runs/gitea-livecheck-20260316/report.md", "timeline": "/runs/gitea-livecheck-20260316/timeline.mmd", "bundle": "/runs/gitea-livecheck-20260316/run.json" }, "browser_links": [], "container_links": [], "request_links": [], "advisory_meta": { "canonical_id": "gitea--CVE-2025-68939", "title": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "summary": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "display_name": "Gitea", "system_id": "gitea", "category": "platforms", "severity": "unknown", "cvss_score": null, "exploit_status": "unknown", "published_at": "2025-12-30T01:49:57Z", "updated_at": "2026-03-03T04:57:48.777563Z", "official_source_url": "https://github.com/advisories/GHSA-263q-5cv3-xq9g", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2025-68939", "https://blog.gitea.com/release-of-1.23.0", "https://github.com/go-gitea/gitea/pull/32151", "https://github.com/go-gitea/gitea/releases/tag/v1.23.0" ], "aliases": [ "BIT-gitea-2025-68939", "CVE-2025-68939", "GHSA-263q-5cv3-xq9g", "GO-2025-4261" ], "secure_code_topics": [ "authz-server-side-recheck", "token-cookie-storage", "proxy-trust-boundary", "plugin-extension-trust-policy" ], "verification_status": "blocked-artifact", "verification_mode": "real", "artifact_mode": "official-image", "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?", "browser_evidence": { "required": false, "present": false, "refs": [] } }, "profile_meta": { "profile_id": "file-upload-generic", "vuln_family": "file-upload", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Upload acceptance or bypass path is demonstrated with reversible test artifacts." ], "seed_actions": [ { "kind": "note", "message": "Use inert marker files and non-executable payloads by default." } ], "attack_actions": [ { "kind": "note", "message": "Validate extension, storage path, and preview behavior using inert files." } ], "browser_assertions": { "required": true }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "reasoning_lines": [ "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "Use inert marker files and non-executable payloads by default.", "Validate extension, storage path, and preview behavior using inert files.", "Upload acceptance or bypass path is demonstrated with reversible test artifacts.", "Current blocker: unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?" ], "progress": { "completed": 3, "skipped": 5, "failed": 0, "blocked": 1, "planned": 0, "other": 0 }, "artifact_groups": [ { "key": "reports", "label": "\u62a5\u544a\u4e0e\u8fd0\u884c\u4ea7\u7269", "count": 4, "items": [ { "href": "/runs/gitea-livecheck-20260316/report.html", "label": "report.html", "kind": "text" }, { "href": "/runs/gitea-livecheck-20260316/report.md", "label": "report.md", "kind": "text" }, { "href": "/runs/gitea-livecheck-20260316/timeline.mmd", "label": "timeline.mmd", "kind": "text" }, { "href": "/runs/gitea-livecheck-20260316/run.json", "label": "run.json", "kind": "text" } ] }, { "key": "compose", "label": "Compose \u7f16\u6392", "count": 1, "items": [ { "href": "/runs/gitea-livecheck-20260316/compose/compose.yaml", "label": "compose.yaml", "kind": "text" } ] } ] }, { "run_id": "gitea-gitea--CVE-2025-68939-20260317063330", "system_id": "gitea", "advisory_id": "gitea--CVE-2025-68939", "repro_profile_id": "file-upload-generic", "verification_status": "blocked-artifact", "verification_mode": "real", "artifact_mode": "official-image", "target_env": "local-docker", "compose_services": [ "app" ], "baseline_refs": [], "attack_steps": [], "browser_refs": [], "container_log_refs": [], "request_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json" ], "timeline": [], "started_at": "2026-03-17T06:33:30+00:00", "finished_at": "2026-03-17T06:33:30+00:00", "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?", "report_refs": { "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330", "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md", "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html", "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd" }, "dashboard_refs": { "report_html": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html", "report_md": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md", "timeline": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd", "bundle": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/run.json" }, "browser_evidence": { "required": false, "present": false, "refs": [] }, "browser_links": [], "container_links": [], "request_links": [ "/runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json", "/runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json" ], "advisory_meta": { "canonical_id": "gitea--CVE-2025-68939", "title": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "summary": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "display_name": "Gitea", "system_id": "gitea", "category": "platforms", "severity": "unknown", "cvss_score": null, "exploit_status": "unknown", "published_at": "2025-12-30T01:49:57Z", "updated_at": "2026-03-03T04:57:48.777563Z", "official_source_url": "https://github.com/advisories/GHSA-263q-5cv3-xq9g", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2025-68939", "https://blog.gitea.com/release-of-1.23.0", "https://github.com/go-gitea/gitea/pull/32151", "https://github.com/go-gitea/gitea/releases/tag/v1.23.0" ], "aliases": [ "BIT-gitea-2025-68939", "CVE-2025-68939", "GHSA-263q-5cv3-xq9g", "GO-2025-4261" ], "secure_code_topics": [ "authz-server-side-recheck", "token-cookie-storage", "proxy-trust-boundary", "plugin-extension-trust-policy" ], "verification_status": "blocked-artifact", "verification_mode": "real", "artifact_mode": "official-image", "blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?", "browser_evidence": { "required": false, "present": false, "refs": [] } }, "profile_meta": { "profile_id": "file-upload-generic", "vuln_family": "file-upload", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Upload acceptance or bypass path is demonstrated with reversible test artifacts." ], "seed_actions": [ { "kind": "note", "message": "Use inert marker files and non-executable payloads by default." } ], "attack_actions": [ { "kind": "note", "message": "Validate extension, storage path, and preview behavior using inert files." } ], "browser_assertions": { "required": true }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "reasoning_lines": [ "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea", "Use inert marker files and non-executable payloads by default.", "Validate extension, storage path, and preview behavior using inert files.", "Upload acceptance or bypass path is demonstrated with reversible test artifacts.", "Current blocker: unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?" ], "progress": { "completed": 0, "skipped": 0, "failed": 0, "blocked": 0, "planned": 0, "other": 0 }, "artifact_groups": [ { "key": "reports", "label": "\u62a5\u544a\u4e0e\u8fd0\u884c\u4ea7\u7269", "count": 4, "items": [ { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/report.html", "label": "report.html", "kind": "text" }, { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/report.md", "label": "report.md", "kind": "text" }, { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/timeline.mmd", "label": "timeline.mmd", "kind": "text" }, { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/run.json", "label": "run.json", "kind": "text" } ] }, { "key": "requests", "label": "\u8bf7\u6c42\u4e0e\u63a2\u6d4b\u65e5\u5fd7", "count": 2, "items": [ { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/attack.json", "label": "attack.json", "kind": "text" }, { "href": "/runs/gitea-gitea--CVE-2025-68939-20260317063330/logs/baseline.json", "label": "baseline.json", "kind": "text" } ] } ] }, { "run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047", "system_id": "nextjs", "advisory_id": "nextjs--CVE-2025-29927", "repro_profile_id": "authz-bypass-generic", "verification_status": "triage-manual", "verification_mode": "real", "artifact_mode": "official-source", "target_env": "local-docker", "compose_services": [ "app" ], "baseline_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json" ], "attack_steps": [ { "kind": "note", "tool": null, "args": [], "status": "planned" } ], "browser_refs": [], "container_log_refs": [], "request_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json", "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json" ], "timeline": [], "started_at": "2026-03-17T06:30:47+00:00", "finished_at": "2026-03-17T06:30:47+00:00", "blocked_reason": "dry-run only", "report_refs": { "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047", "report_md": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md", "report_html": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html", "timeline": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd" }, "dashboard_refs": { "report_html": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html", "report_md": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md", "timeline": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd", "bundle": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/run.json" }, "browser_evidence": { "required": false, "present": false, "refs": [] }, "browser_links": [], "container_links": [], "request_links": [ "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json", "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json" ], "advisory_meta": { "canonical_id": "nextjs--CVE-2025-29927", "title": "Authorization Bypass in Next.js Middleware", "summary": "# Impact\nIt is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.\n\n# Patches\n* For Next.js 15.x, this issue is fixed in `15.2.3`\n* For Next.js 14.x, this issue is fixed in `14.2.25`\n* For Next.js 13.x, this issue is fixed in 13.5.9\n* For Next.js 12.x, this issue is fixed in 12.3.5\n* For Next.js 11.x, consult the below workaround.\n\n_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._\n\n# Workaround\nIf patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.\n\n## Credits\n\n- Allam Rachid (zhero;)\n- Allam Yasser (inzo_)", "display_name": "Next.js", "system_id": "nextjs", "category": "frameworks", "severity": "low", "cvss_score": 3.1, "exploit_status": "unknown", "published_at": "2025-03-21T15:20:12Z", "updated_at": "2026-03-04T15:06:29.993197Z", "official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2025-29927", "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2", "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v12.3.5", "https://github.com/vercel/next.js/releases/tag/v13.5.9", "https://security.netapp.com/advisory/ntap-20250328-0002", "https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware", "http://www.openwall.com/lists/oss-security/2025/03/23/3", "http://www.openwall.com/lists/oss-security/2025/03/23/4" ], "aliases": [ "CVE-2025-29927", "GHSA-f82v-jwr5-mffw" ], "secure_code_topics": [ "authz-server-side-recheck", "proxy-trust-boundary", "token-cookie-storage" ], "verification_status": "triage-manual", "verification_mode": "real", "artifact_mode": "official-source", "blocked_reason": "dry-run only", "browser_evidence": { "required": false, "present": false, "refs": [] } }, "profile_meta": { "profile_id": "authz-bypass-generic", "vuln_family": "authz-bypass", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Protected route or action is evaluated with controlled credentials and logged." ], "seed_actions": [ { "kind": "note", "message": "Create low-privilege and admin test users for server-side recheck validation." } ], "attack_actions": [ { "kind": "note", "message": "Use minimal authorization bypass probes defined by case-specific runner or manual session tooling." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "reasoning_lines": [ "# Impact\nIt is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.\n\n# Patches\n* For Next.js 15.x, this issue is fixed in `15.2.3`\n* For Next.js 14.x, this issue is fixed in `14.2.25`\n* For Next.js 13.x, this issue is fixed in 13.5.9\n* For Next.js 12.x, this issue is fixed in 12.3.5\n* For Next.js 11.x, consult the below workaround.\n\n_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._\n\n# Workaround\nIf patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.\n\n## Credits\n\n- Allam Rachid (zhero;)\n- Allam Yasser (inzo_)", "Create low-privilege and admin test users for server-side recheck validation.", "Use minimal authorization bypass probes defined by case-specific runner or manual session tooling.", "Protected route or action is evaluated with controlled credentials and logged.", "Current blocker: dry-run only" ], "progress": { "completed": 0, "skipped": 0, "failed": 0, "blocked": 0, "planned": 0, "other": 0 }, "artifact_groups": [ { "key": "reports", "label": "\u62a5\u544a\u4e0e\u8fd0\u884c\u4ea7\u7269", "count": 4, "items": [ { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.html", "label": "report.html", "kind": "text" }, { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/report.md", "label": "report.md", "kind": "text" }, { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/timeline.mmd", "label": "timeline.mmd", "kind": "text" }, { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/run.json", "label": "run.json", "kind": "text" } ] }, { "key": "baseline", "label": "\u57fa\u7ebf\u5feb\u7167", "count": 1, "items": [ { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/baseline.json", "label": "baseline.json", "kind": "text" } ] }, { "key": "requests", "label": "\u8bf7\u6c42\u4e0e\u63a2\u6d4b\u65e5\u5fd7", "count": 1, "items": [ { "href": "/runs/nextjs-nextjs--CVE-2025-29927-20260317063047/logs/attack.json", "label": "attack.json", "kind": "text" } ] } ] } ]