Gitea Enterprise 25.5.0 is released

We are excited to announce the release of Gitea Enterprise 25.5.0! This version upgraded Gitea to v1.25.x and improved audit logs. We strongly recommend upgrading to benefit from the latest hardening work-especially the fixes called out below.

How to install or update

Download our pre-built binaries from the Gitea Enterprise downloads page — make sure to select the version compatible with your platform. For a step-by-step guide on installation or upgrades, check out our installation documentation

Changelog

25.5.0 - 2026-04-18

Enterprise

• Add ExternalIDClaim option for OAuth2 OIDC auth source
• Support export audit logs as CSV file

This release also includes features from Gitea versions v1.25.5

v1.25.5

• Bugfix
  • Fix bug introduced by fix catch scanner error
  • Update Combine method to treat warnings as failures and adjust tests (#37048) (#37075)
  • Fix missing workflow_run notifications when updating jobs from multiple runs (#36997) (#37003)
  • Catch scanner error when possible to avoid bypass (#36963) (#36976)
  • Fix user settings sidebar showing disabled features on some pages (#36958) (#36969)
  • Fix org permission API visibility checks for hidden members and private orgs (#36798) (#36841)
  • Fix non-admins unable to automerge PRs from forks (#36833) (#36843)
  • Fix bug to check whether user can update pull request branch or rebase branch (#36465) (#36838)
  • Add a git grep search timeout (#36809) (#36835)
  • Make security-check informational only (#36681) (#36852)
  • Fix dump release asset bug (#36799) (#36839)
  • Fix forwarded proto handling for public URL detection (#36810) (#36836)
  • Fix OAuth2 authorization code expiry and reuse handling (#36797) (#36851)
  • Fix bug when pushing mirror with wiki (#36795) (#36807)
  • Fix artifacts v4 backend upload problems (#36805) (#36834)
  • Upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36840)
  • Fix CRAN package version validation to allow more than 4 version components (#36813) (#36821)
  • Add validation constraints for repository creation fields (#36671) (#36757)
  • Fix force push time-line commit comments of pull request (#36653) (#36717)
  • Fix SVG height calculation in diff viewer (#36748) (#36750)
  • Fix track time list permission check (#36662) (#36744)
  • Fix path resolving (#36734) (#36746)
  • Prevent redirect bypasses via backslash-encoded paths (#36660) (#36716)
  • Fix get release draft permission check (#36659) (#36715)
  • Fix push time bug (#36693) (#36713)
  • Add migration http transport for push/sync mirror lfs (#36665) (#36691)
  • Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#36688) (#36692)
  • Fix track time issue id (#36664) (#36689)
  • Fix bug the protected branch rule name is conflicted with renamed branch name (#36650) (#36661)
  • Fix a bug user could change another user's primary email (#36586) (#36607)
  • Fix bug when do LFS GC (#36500) (#36608)
  • Fix focus lost bugs in the Monaco editor (#36609)
  • Fix(diff): reprocess htmx content after loading more files (#36568) (#36577)
  • Add wrap to runner label list (#36565) (#36574)
  • Fix: add dnf5 command for Fedora in RPM package instructions (#36527) (#36572)
  • Fix assignee sidebar links and empty placeholder (#36559) (#36563)
  • Fix issues filter dropdown showing empty label scope section (#36535) (#36544)
  • Fix various mermaid bugs (#36547) (#36552)
  • Fix(packages/container): data race when uploading container blobs concurrently (#36524) (#36526)
  • Allow scroll propagation outside code editor (#36502) (#36510)
  • Correct spacing between username and bot label (#36473) (#36484)
  • Fix oauth2 s256 (#36462) (#36477)
  • Add resolve/unresolve review comment API endpoints (#36441)
  • Bump toolchain to 1.25.9 and upgrade deps
  • Improve actions notifier for workflow_run (#37088) (#37099)
  • Bump toolchain and deps (#371)