CVE-2025-52553
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-08-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.4.3 (exc) |
| goauthentik | authentik | From 2025.6.0 (inc) to 2025.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52553 is a vulnerability in the authentik identity provider's Remote Access Control (RAC) endpoint. When a user authorizes access, authentik generates a token sent via the URL intended for a single connection and valid only for that user's session. However, in versions prior to 2025.4.3 and 2025.6.3, the system did not verify that the token was tied to the specific user session, allowing an attacker to reuse the token URL (for example, during a screenshare) to gain unauthorized access to the same session. The fix enforces session-bound token validation by checking the session key associated with the token, preventing token reuse across different sessions. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability allows an attacker to hijack an authorized RAC session by reusing a token URL without proper authorization. For example, during a screenshare, a malicious user could copy the URL containing the token and access the same session, leading to unauthorized session access. While the vulnerable system itself may not suffer direct confidentiality, integrity, or availability loss, the subsequent system accessed through the hijacked session can experience high impact on confidentiality, integrity, and availability. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for reuse of RAC endpoint tokens across different user sessions, especially tokens appearing in URLs during or after screensharing sessions. Since the token is sent via URL, inspecting logs or network traffic for repeated use of the same token from different sessions or IP addresses may indicate exploitation attempts. Specific commands are not provided in the resources, but administrators can search web server or proxy logs for repeated token values in URLs or use network monitoring tools to detect token reuse patterns. [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reducing the token validity duration by setting the 'Connection expiry' to a short period such as 5 minutes in the RAC Provider settings, and enabling the 'Delete authorization on disconnect' option to limit token reuse. Additionally, updating authentik to versions 2025.4.3 or 2025.6.3, which include the fix enforcing session-bound token validation, is strongly recommended. [1, 2, 3, 4]