Gitea v1.25.5 released on 13-03-2026
Gitea v1.25.5 is out now. Admins and self-hosters benefit from security and toolchain updates plus a range of fixes that harden request handling and restore expected access control behaviour.
See the Gitea GitHub releases or Gitea Cloud (https://cloud.gitea.com) for the full notes and detailed upgrade instructions.
What’s in this release
- Security and toolchain updates: Go toolchain updated (Go 1.25.6, and 1.25.8 for the v1.25 line), mitigations for redirect bypasses via backslash-encoded paths, fixes preventing users changing another user’s primary email, and OAuth2 fixes for authorization code expiry/reuse and S256 handling; the default security-check is now informational-only.
- Permissions and API visibility fixes: corrected permission checks for release drafts, updating/rebasing pull request branches, track-time and issue ID checks, and org-member visibility for hidden members and private organisations; forwarded-proto handling for public URL detection fixed.
- Repository, mirroring, LFS and git ops improvements: stricter validation for repository creation, migration HTTP transport for mirror LFS, fixes for mirror pushes including wikis, LFS GC fixes, path-resolving and release-asset dump fixes, a git-grep search timeout, and an upgrade of go-git to 5.16.5.
Upgrade notes
- Toolchain change: the Go toolchain has been updated to 1.25.6 (and 1.25.8 for v1.25). Check your build and CI toolchain compatibility before upgrading and follow the release notes for build details.
- Gitea Cloud auto-upgrade: Gitea Cloud instances will be automatically upgraded to v1.25.5 during the scheduled maintenance window; no specific rollback instructions are provided — follow your usual rollback procedures if necessary.
Try the upgrade and share feedback on the project’s issue tracker or community channels — reports on any regressions or remaining edge cases are especially useful.
