CVE-2025-52477
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-06-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52477 is a high-severity vulnerability in Octo-STS versions before v0.5.3. It is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability that arises from abusing fields in OpenID Connect tokens. Attackers can exploit this flaw to trigger internal network requests without authentication. These requests can cause error logs to reflect sensitive information, potentially exposing confidential data. The vulnerability affects confidentiality but does not impact integrity or availability. The issue was fixed in version v0.5.3 by sanitizing inputs and redacting sensitive information in logs. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthenticated SSRF attacks that trigger internal network requests. These requests can cause error logs to leak sensitive information, potentially exposing confidential data within your internal network. Since the vulnerability has a network attack vector, low attack complexity, and requires no privileges or user interaction, it poses a significant risk to confidentiality. Exploitation could lead to unauthorized disclosure of sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual internal network requests triggered by malformed or malicious OpenID Connect tokens, especially those causing reflected error logs with sensitive information. Since the vulnerability exploits SSRF via token fields, inspecting logs for suspicious error messages or unexpected outbound requests from the Octo-STS service may help. However, no specific detection commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Octo-STS to version v0.5.3 or later, which includes patches that sanitize input fields in OpenID Connect tokens and redact sensitive information in logs to prevent exploitation. Additionally, ensure that logging is configured to avoid exposing sensitive data in warning or error logs, and apply strict validation of token fields as implemented in the patch to prevent SSRF attacks. [1, 2, 3]