Gitea 1.24.7 is released
We are excited to announce the release of Gitea version 1.24.7! We strongly recommend all users upgrade to this version for improved stability and security.
This release includes 7 merged pull requests, thanks to the amazing contributions from our community.
Security
This release addresses several important security vulnerabilities:
- LFS Authentication Bypass
A user without valid credentials could upload or download LFS files by submitting a malformed JWT token. Thanks to Scott Tolley from Black Duck for reporting this issue, and to @wxiaoguang for the fix in https://github.com/go-gitea/gitea/pull/35708.
- Arbitrary File Access via Malicious Template Repositories
An authenticated user could create a crafted template repository that processes arbitrary files on the filesystem. Thanks to Clément Hamada for reporting this issue, and to @wxiaoguang for the fix in https://github.com/go-gitea/gitea/pull/35708.
- Invalidated OAuth2 Tokens Still Accepted
An invalidated OAuth2 token could incorrectly pass validation. Thanks to TIA for reporting this issue, and to @lunny for the fix in https://github.com/go-gitea/gitea/pull/35655.
How to install or update
Download our pre-built binaries from the Gitea downloads page — make sure to select the version compatible with your platform. For a step-by-step guide on installation or upgrades, check out our installation documentation
Special Thanks
We would also like to thank all of our supporters on Open Collective who are helping to sustain us financially.
Looking for a seamless, hassle-free solution to manage your Git repositories? Discover Gitea Cloud — A fully-managed, scalable platform designed to streamline your development workflow.
Changelog
1.24.7 - 2025-09-12
- SECURITY
- BUGFIXES
- TESTING