Gitea | v1.25.5

Gitea v1.25.5 released on 13-03-2026


Gitea v1.25.5 is out now. It focuses on security hardening, toolchain and dependency updates, and a number of permission, storage and UI fixes that close several important attack surfaces.

For full details and upgrade instructions, consult the release notes on Gitea’s GitHub or the official Gitea pages; Gitea Cloud instances will be upgraded automatically during the scheduled maintenance window.

What’s in this release

  • Toolchain moved to Go 1.25.8 with related adjustments and dependency security bumps.
  • Security fixes including prevention of redirect bypasses via backslash-encoded paths and corrections to OAuth2 authorization code expiry, reuse and s256 handling.
  • Critical access fixes such as resolving a bug that allowed a user to change another user’s primary email, plus multiple permission and visibility corrections.

Upgrade notes

  • The built-in security-check has been made informational only; operators should review the toolchain and dependency changes before upgrading and follow the release notes for guidance.
  • Gitea Cloud instances will be automatically upgraded to v1.25.5 during the specified maintenance window; self-hosted operators should plan their own upgrade and rollback procedure if needed.

Share feedback or report any issues on Gitea’s GitHub so the community and maintainers can follow up on your experience.

Related posts

Agentic AI still needs domain judgement

Agentic AI can write the thing, but it still cannot tell you whether the thing is right. That is where domain expertise matters, because a clean config or neat bit of glue logic can still be wrong in...

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...