Gitea Enterprise 25.4.2 is released

We are excited to announce the release of Gitea Enterprise 25.4.2! This version upgraded Gitea to v1.25.x and improved audit logs. We strongly recommend upgrading to benefit from the latest hardening work-especially the fixes called out below.

How to install or update

Download our pre-built binaries from the Gitea Enterprise downloads page — make sure to select the version compatible with your platform. For a step-by-step guide on installation or upgrades, check out our installation documentation

Changelog

25.4.2 - 2026-02-25

Enterprise

• Improve security APIs and introduce Gitea EE Go SDK https://gitea.com/commitgo/go-sdk
• Fix announcement title color picker bug
• Improve audit logs

This release also includes features from Gitea versions v1.25.0 ~ v.1.25.4

v1.25.4

• SECURITY
  • Release attachments must belong to the intended repo (#36347) (#36375)
  • Fix permission check on org project operations (#36318) (#36373)
  • Clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
  • Add more check for stopwatch read or list (#36340) (#36368)
  • Fix openid setting check (#36346) (#36361)
  • Fix cancel auto merge bug (#36341) (#36356)
  • Fix delete attachment check (#36320) (#36355)
  • LFS locks must belong to the intended repo (#36344) (#36349)
  • Fix bug on notification read (#36339) #36387
• ENHANCEMENTS
  • Add more routes to the "expensive" list (#36290)
  • Make "commit statuses" API accept slashes in "ref" (#36264) (#36275)
• BUGFIXES
  • Fix markdown newline handling during IME composition (#36421) #36424
  • Fix missing repository id when migrating release attachments (#36389)
  • Fix bug when compare in the pull request (#36363) (#36372)
  • Fix incorrect text content detection (#36364) (#36369)
  • Fill missing has_code in repository api (#36338) (#36359)
  • Fix notifications pagination query parameters (#36351) (#36358)
  • Fix some trivial problems (#36336) (#36337)
  • Prevent panic when GitLab release has more links than sources (#36295) (#36305)
  • Fix stats bug when syncing release (#36285) (#36294)
  • Always honor user's choice for "delete branch after merge" (#36281) (#36286)
  • Use the requested host for LFS links (#36242) (#36258)
  • Fix panic when get editor config file (#36241) (#36247)
  • Fix regression in writing authorized principals (#36213) (#36218)
  • Fix WebAuthn error checking (#36219) (#36235)

v1.25.3

• SECURITY
  • Bump toolchain to go1.25.5, misc fixes (#36082)
• ENHANCEMENTS
  • Add strikethrough button to markdown editor (#36087) (#36104)
  • Add "site admin" back to profile menu (#36010) (#36013)
  • Improve math rendering (#36124) (#36125)
• BUGFIXES
  • Check user visibility when redirecting to a renamed user (#36148) (#36159)
  • Fix various bugs (#36139) (#36151)
  • Fix bug when viewing the commit diff page with non-ANSI files (#36149) (#36150)
  • Hide RSS icon when viewing a file not under a branch (#36135) (#36141)
  • Fix SVG size calulation, only use style attribute (#36133) (#36134)
  • Make Golang correctly delete temp files during uploading (#36128) (#36129)
  • Fix the bug when ssh clone with redirect user or repository (#36039) (#36090)
  • Use Golang net/smtp instead of gomail's smtp to send email (#36055) (#36083)
  • Fix edit user email bug in API (#36068) (#36081)
  • Fix bug when updating user email (#36058) (#36066)
  • Fix incorrect viewed files counter if file has changed (#36009) (#36047)
  • Fix container registry error handling (#36021) (#36037)
  • Fix webAuthn insecure error view (#36165) (#36179)
  • Fix some file icon ui (#36078) (#36088)
  • Fix Actions pull_request.paths being triggered incorrectly by rebase (#36045) (#36054)
  • Fix error handling in mailer and wiki services (#36041) (#36053)
  • Fix bugs when comparing and creating pull request (#36166) (#36144)

v1.25.2

• SECURITY
  • Upgrade golang.org/x/crypto to 0.45.0 (#35985) (#35988)
  • Fix various permission & login related bugs (#36002) (#36004)
• ENHANCEMENTS
  • Display source code downloads last for release attachments (#35897) (#35903)
  • Change project default column icon to 'star' (#35967) (#35979)
• BUGFIXES
  • Disabled GCM OAuth2 flow attempts when OAuth2 itself is disabled which is part of (#36002) (#36004)
  • Allow empty commit when merging pull request with squash style (#35989) (#36003)
  • Fix container push tag overwriting (#35936) (#35954)
  • Fix corrupted external render content (#35946) and upgrade golang.org/x packages (#35950)
  • Limit reading bytes instead of ReadAll (#35928) (#35934)
  • Use correct form field for allowed force push users in branch protection API (#35894) (#35908)
  • Fix team member access check (#35899) (#35905)
  • Fix conda null depend issue (#35900) (#35902)
  • Set the dates to now when not specified by the caller (#35861) (#35874)
  • Fix gogit ListEntriesRecursiveWithSize (#35862)
  • Misc CSS fixes (#35888) (#35981)
  • Don't show unnecessary error message to end users for DeleteBranchAfterMerge (#35937) (#35941)
  • Load jQuery as early as possible to support custom scripts (#35926) (#35929)
  • Allow to display embed images/pdfs when SERVE_DIRECT was enabled on MinIO storage (#35882) (#35917)
  • Make OAuth2 issuer configurable (#35915) (#35916)
  • Fix #35763: Add proper page title for project pages (#35773) (#35909)
  • Fix avatar upload error handling (#35887) (#35890)
  • Contribution heatmap improvements (#35876) (#35880)
  • Remove padding override on .ui .sha.label (#35864) (#35873)
  • Fix pull description code label background (#35865) (#35870)

v1.25.1

• BUGFIXES
  • Make ACME email optional (#35849) #35857
  • Add a doctor command to fix inconsistent run status (#35840) (#35845)
  • Remove wrong code (#35846)
  • Fix viewed files number is not right if not all files loaded (#35821) (#35844)
  • Fix incorrect pull request counter (#35819) (#35841)
  • Upgrade go mail to 0.7.2 and fix the bug (#35833) (#35837)
  • Revert gomail to v0.7.0 to fix sending mail failed (#35816) (#35824)
  • Fix clone mixed bug (#35810) (#35822)
  • Fix cli "Before" handling (#35797) (#35808)
  • Improve and fix markup code preview rendering (#35777) (#35787)
  • Fix actions rerun bug (#35783) (#35784)
  • Fix actions schedule update issue (#35767) (#35774)
  • Fix circular spin animation direction (#35785) (#35823)
  • Fix file extension on gogs.png (#35793) (#35799)
  • Add pnpm to Snapcraft (#35778)

v1.25.0

• BREAKING
  • Remove deprecated auth sources (#35272)
• FEATURES
  • Stream repo zip/tar.gz/bundle archives by default (#35487)
  • Add support for 3D/CAD file formats preview (#34794)
  • Send email on Workflow Run Success/Failure (#34982)
  • Edit file workflow for creating a fork and proposing changes (#34240)
  • Improve instance wide ssh commit signing (#34341)
  • Refactor repo contents API and add "contents-ext" API (#34822)
  • Follow file symlinks in the UI to their target (#28835)
  • Use configurable remote name for git commands (#35172)
  • Refactor OpenIDConnect to support SSH/FullName sync (#34978)
• ENHANCEMENTS
  • Code
    • Display pull request in merged commit view (#35202)
    • Support Basic Authentication for archive downloads (#35087)
    • Improve submodule relative path handling (#35056)
    • Support base64-encoded agit push options (#35037)
    • Add has_code to repository REST API (#35214)
  • Actions
    • Prevent duplicate actions email (#35215)
    • Use inputs context when parsing workflows (#35595)
    • The status icon of the Action step is consistent with GitHub (#35618) #35621
  • User Experience
    • Enable more markdown paste features in textarea editor (#35494)
    • Refactor time tracker UI (#34983)
    • Partially refresh notifications list (#35010)
    • Also display "recently pushed branch" alert on PR view (#35001)
    • Use monospace font in PR command line instructions (#35074)
    • UI: add hover background to table rows in user and repo admin page (#35072)
    • Make restricted users can access public repositories (#35693)
  • Administration
    • Don't store repo archives on gitea dump (#35467)
    • Avoid emoji mismatch and allow to only enable chosen emojis (#35705)
    • Always return the relevant status information, even if no status exists (#35335)
    • Disable Field count validation of CSV viewer (#35228)
    • Don't block site admin's operation if SECRET_KEY is lost (#35721)
  • Issues & Pull Requests
    • When sorting issues by nearest due date, issues without due date should be sorted ascending (#35267)
• BUGFIXES
  • Update tab title when navigating file tree (#35757) #35772
  • Fix "ref-issue" handling in markup (#35739) #35771
  • Fix webhook to prevent tag events from bypassing branch filters targets (#35567) #35577
  • Fix markup init after issue comment editing (#35536) #35537
  • Fix creating pull request failure when the target branch name is the same as some tag (#35552) #35582
  • Fix auto-expand and auto-scroll for actions logs (#35570) (#35583) #35586
  • Use inputs context when parsing workflows (#35590) #35595
  • Fix diffpatch API endpoint (#35610) #35613
  • Creating push comments before invoke pull request checking (#35647) #35668
  • Fix missing Close when error occurs and abused connection pool (#35658) #35670
  • Fix build (#35674)
  • Fix workflow run event status while rerunning a failed job (#35689)
  • Avoid emoji mismatch and allow to only enable chosen emojis (#35692)
  • Refactor legacy code, fix LFS auth bypass, fix symlink bypass (#35708)
  • Fix various trivial problems (#35714)
  • Fix attachment file size limit in server backend (#35519)
  • Honor delete branch on merge repo setting when using merge API (#35488)
  • Fix external render, make iframe render work (#35727, #35730)
  • Upgrade go mail to 0.7.2 (#35748)
  • Revert #18491, fix oauth2 client link account (#35745)
  • Fix workflow run event status while rerunning a failed job (#35703)
  • Fix various bugs (#35696)
  • Use LFS object size instead of blob size when viewing a LFS file (#35680)
  • Fix code tag style problem and LFS view bug (#35636)
  • Fix inputing review comment will remove reviewer (#35615)
  • Fix diffpatch API endpoint (#35613)
  • Fix: auto-expand and auto-scroll for actions logs (#35586)
  • Fix creating pull request failure when the target branch name is the same as some tag (#35582)
  • Fix rebase push display wrong comments bug (#35580)
  • Fix webhook: prevent tag events from bypassing branch filters targets (#35577)
  • Fix markup init after issue comment editing (#35537)
  • Fix different behavior in status check pattern matching with double stars (#35474)
  • Fix overflow in notifications list (#35446)
• REFACTORS
  • Move updateref and removeref to gitrepo and remove unnecessary open repository (#35511)
  • Move git command to git/gitcmd (#35483)
  • Replace gobwas/glob package (#35478)
  • Correctly override user unitmodes (#35501)
  • Fix various typos in codebase (#35480)
• MISC
  • Clean up npm dependencies (#35508, #35484)
  • Update eslint to v9 (#35485)
  • Replace webpack with rspack (#35460)
  • Bump setup-node to v5 (#35448)
  • Bump archives&rar dep (#35638)
  • Fix build (#35674)
  • Fix missing Close when error occurs and abused connection pool (#35670)
  • Creating push comments before invoke pull request checking (#35668)
  • Fix a bug missed return (#35667)
  • Always create Actions logs stepsContainer (#35672)
  • Mock external service in hcaptcha TestCaptcha (#35614)
  • Fixing issue: Password Leak in Log Messages (#35609)
  • Exposing TimeEstimate field in the API (#35475)
  • Vertically center date in file view latest commit (#35456)
  • The status icon of the Action step is consistent with GitHub (#35621)
  • Add perf trace start time (#35282)