Published March 13, 2026
| Version v1.0.0
Publication
Open
CVE 2025-68971
Description
On 2025-12-22, a security vulnerability CVE 2025-68971 (CVSS: 5.5/MEDIUM) was discovered in open-source Forgejo 13.0.3 application first detected on FreeBSD14 operating system. It caused the operating system went into mass-killing all system applications and services due to memory starvation as Forgejo hogged the entire operating system's available free memories for temporarily storing attachment file upload fragments. Whenever an attachment file of size greater than the operating system's entire memory can handle is uploaded by any user, the operating system has no choice but to kill all services and applications and restart its runtime. The killing includes but not limited to runtime graphical user interface and network services such as XOrg, LXQt desktop manager, Nginx reverse proxy server, and SSH server. The fallout effect is data loss and data corruption due to unexpected program termination.
On 2026-01-16, Forgejo security team patched the security vulnerability mediation in version 14.0.0 and by 2026-03-11, version 14.0.0, 14.0.1, and 14.0.2 were all tested and verified the security vulnerability was fixed. The conclusion is that the public MUST upgrade Forgejo to version 14.0.2 and above for mitigating this vulnerability.
That is all. Otherwise, this report detailed the vulnerability and its mediation data solely for archiving and educational purposes only.
Other (English)
Changelog
v2.0.0
- Removed contributors as requested.
v1.0.0 (You are here - Please USE the updated v2.0.0)
- Compiled and published.
Files
CVE-2025-68971-en-v1p0p0.pdf
Files
(12.7 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:d8ed7b6fc8a7092f22578f88577f73dd
|
12.7 MB | Preview Download |
|
md5:577e295d10162f191700ecac5cad9a1f
|
14.0 kB | Download |
|
md5:753c14f160c6dcc55133f5f25181f7a6
|
2.0 kB | Download |
Additional details
Identifiers
- DOI
- 10.5281/zenodo.18932933
- Other
- chewkeanho-research-cve-2025-68971
- Other
- D44E82C4-7EEF-436A-85FD-883062554B67
- Other
- CVE-2025-68971
Dates
- Created
-
2026-03-10Initialized Repository.
- Available
-
2026-03-13v1.0.0 Published
Software
- Repository URL
- https://codeberg.org/chewkeanho/research-cve-2025-68971
- Development Status
- Active
References
- KEAN HO, CHEW; 2025; "Forgejo Workaround Shell Script"; forgejo-workaround-upload.sh; 1st Edition; Series: 1; Volume: 1; ; (Holloway) Chew, Kean Ho via Kean Ho, Chew; Malaysia; Available at: https://doi.org/10.5281/zenodo.18932933
- KEAN HO, CHEW; 2026; "CVSS - Common Vulnerability Scoring System Version 4.0 Calculator"; website; 1st Edition; Series: 1; Volume: 1; ; FIRST.ORG via FIRST.ORG; U.S.A; Available at: https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/ SC:N/SI:N/SA:H/E:U/CR:L/IR:L/AR:H/MAV:N/MAC:L/MAT:N/MPR:N/MUI:A/MVC:N/MVI:N/MVA:H/ MSC:N/MSI:N/MSA:H/S:P/AU:Y/R:A/V:D/RE:M/U:Green
- OWASP; 2026; "Vulnerability Disclosure Cheat Sheet"; Website; 1st Edition; Series: 1; Volume: 1; ; OWASP via OWASP; World Wide Web; Available at: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html
- CISA.GOV; 2026; "Coordinated Vulnerability Disclosure Program"; Resources & Tools > Programs; 1st Edition; Series: 1; Volume: 1; ; CISA.GOV via CISA.GOV; U.S.A; Available at: https://www.cisa.gov/resources-tools/programs/coordinated-vulnerability-disclosure-program
- MICHAEL KRIESE; 2026; "Forgejo v11.0.9 and v13.0.4 #49"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo Security Team; Germany; Available at: https://codeberg.org/forgejo/security-announcements/issues/49
- MATHIEU FENNIAK; 2025; "Patch: dd2f8a1352d53c9d3bb2577144ff09a8a21d3261"; software patches; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; ; Available at: https://codeberg.org/forgejo/forgejo/commit/dd2f8a1352d53c9d3bb2577144ff09a8a21d3261.p atch
- FORGEJO.ORG; 2026; "[v11.0/forgejo] January 8th security patches #10722"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/pulls/10722/commits/dd2f8a1352d53c9d3bb2577144ff09 a8a21d3261
- FORGEJO.ORG; 2026; "Forgejo Release v14.0.0"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/releases/tag/v14.0.0
- FOREGEJO.ORG; 2026; "Forgejo v14.0.0 Release Notes"; Website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.0.md
- FOREGEJO.ORG; 2026; "Forgejo 14.0.1 Release"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/releases/tag/v14.0.1
- FORGEJO.ORG; 2026; "Forgejo 14.0.1 Release Notes"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.1.md
- KEAN HO, CHEW; 2024; "Memory Hogging Until OS Kill and Restart"; Email; 1st Edition; Series: 1; Volume: 1; DOI: 10.123123/zenodo.123123123; (Holloway) Chew, Kean Ho via (Holloway) Chew, Kean Ho; Malaysia; Available at: the approval of owner (private email)
- DAN LANGILLE; 2026; "FreshPorts - www/forgejo"; website; 1st Edition; Series: 1; Volume: 1; ; Dan Langille's FreshPorts via New York Internet, iXsystems, and RootBSD via FreshPorts via Dan Langille; U.S.A; Available at: https://www.freshports.org/www/forgejo
- FORGEJO.ORG; 2026; "Forgejo 14.0.2 Release"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/releases/tag/v14.0.2
- FORGEJO.ORG; 2026; "Forgejo 14.0.2 Release Notes"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.2.md
- FORGEJO.ORG; 2026; "Forgejo: feat: enable SQLite WAL by default #11059"; website; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo.org; Germany; Available at: https://codeberg.org/forgejo/forgejo/pulls/11059
- KEAN HO, CHEW; 2025; "Re: Memory Hogging Until OS Kill and Restart"; Email; 1st Edition; Series: 1; Volume: 1; ; Forgejo.org via Forgejo Security Team; Europe; Available at: the approval of owner (private email)
- Mark Linimon; 2025; "Re: Fwd: Memory Hogging Until OS Kill and Restart"; Email; 1st Edition; Series: 1; Volume: 1; ; FreeBSD.org via FreeBSD.org; U.S.A; Available at: the approval of owner (private email)
- KEAN HO, CHEW; 2025; "Re: Fwd: Memory Hogging Until OS Kill and Restart"; Email; 1st Edition; Series: 1; Volume: 1; ; (Holloway) Chew, Kean Ho via (Holloway) Chew, Kean Ho; Malaysia; Available at: the approval of owner (private email)
- CVE Assignment Team; 2025; "CVE Request 1971568 for CVE ID Request"; email; 1st Edition; Series: 1; Volume: 1; ; MITRE.ORG via MITRE.ORG; U.S.A; Available at: the approval of owner (private email)
- MITRE.ORG; 2025; "Re: [scr1971568] one CVE"; Email; 1st Edition; Series: 1; Volume: 1; ; MITRE.ORG via MITRE.ORG; U.S.A; Available at: the approval of owner (private email)
- KEAN HO, CHEW; 2025; "Re: Memory Hogging Until OS Kill and Restart"; Email; 1st Edition; Series: 1; Volume: 1; ; (Holloway) Chew, Kean Ho via (Holloway) Chew, Kean Ho; Malaysia; Available at: the approval of owner (private email)
- KEAN HO, CHEW; 2025; "Bug 291973 - www/forgejo Memory Hogging Until OS Kill and Restart "; FreeBSD Bugzilla; 1st Edition; Series: 1; Volume: 1; ; FreeBSD.org via FreeBSD.org; U.S.A; Available at: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291973