Gitea | v1.25.5

Gitea v1.25.5 released on 13-03-2026


Gitea v1.25.5 is out now. Admins and self-hosters benefit from security and toolchain updates plus a range of fixes that harden request handling and restore expected access control behaviour.

See the Gitea GitHub releases or Gitea Cloud (https://cloud.gitea.com) for the full notes and detailed upgrade instructions.

What’s in this release

  • Security and toolchain updates: Go toolchain updated (Go 1.25.6, and 1.25.8 for the v1.25 line), mitigations for redirect bypasses via backslash-encoded paths, fixes preventing users changing another user’s primary email, and OAuth2 fixes for authorization code expiry/reuse and S256 handling; the default security-check is now informational-only.
  • Permissions and API visibility fixes: corrected permission checks for release drafts, updating/rebasing pull request branches, track-time and issue ID checks, and org-member visibility for hidden members and private organisations; forwarded-proto handling for public URL detection fixed.
  • Repository, mirroring, LFS and git ops improvements: stricter validation for repository creation, migration HTTP transport for mirror LFS, fixes for mirror pushes including wikis, LFS GC fixes, path-resolving and release-asset dump fixes, a git-grep search timeout, and an upgrade of go-git to 5.16.5.

Upgrade notes

  • Toolchain change: the Go toolchain has been updated to 1.25.6 (and 1.25.8 for v1.25). Check your build and CI toolchain compatibility before upgrading and follow the release notes for build details.
  • Gitea Cloud auto-upgrade: Gitea Cloud instances will be automatically upgraded to v1.25.5 during the scheduled maintenance window; no specific rollback instructions are provided — follow your usual rollback procedures if necessary.

Try the upgrade and share feedback on the project’s issue tracker or community channels — reports on any regressions or remaining edge cases are especially useful.

Related posts

Agentic AI still needs domain judgement

Agentic AI can write the thing, but it still cannot tell you whether the thing is right. That is where domain expertise matters, because a clean config or neat bit of glue logic can still be wrong in...

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...