Forgejo Security Release v8.0.1 & v7.0.7

Forgejo v8.0.1 & v7.0.7 was released 9 August 2024.

These releases contain a fix for a security issue, which can be exploited by registered Forgejo users who can change the description of a repository. A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS vulnerability allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// thereby disallowing the javascript: URI.

Recommended Action

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!