CVE-2025-57766
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ethyca | fides | to 2.69.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Fides occurs because when an admin user changes their password via the admin UI, active user sessions are not invalidated. This means that if an attacker has already obtained valid session tokens through other means (like cross-site scripting), they can continue to access the account even after the password has been reset. The vulnerability itself is not directly exploitable without first having a way to get valid session tokens. It was fixed in version 2.69.1.
How can this vulnerability impact me? :
The vulnerability can allow attackers who have obtained session tokens to maintain unauthorized access to user accounts even after the password has been changed. This could lead to continued unauthorized access and potential misuse of the affected accounts, undermining account security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Fides to version 2.69.1 or later, as this version fixes the vulnerability. Since no known workarounds are available, applying the update is the recommended immediate mitigation step.