CVE-2025-57815
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ethyca | fides | to 2.69.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Fides Admin UI login endpoint prior to version 2.69.1. The login endpoint uses a general IP-based rate limit for all API traffic but lacks specific anti-automation controls to prevent brute-force attacks. As a result, attackers can perform credential testing attacks such as credential stuffing or password spraying, targeting accounts with weak or compromised passwords. The issue is fixed in version 2.69.1, and for commercial Fides Enterprise users, enabling Single Sign-On (SSO) via an OIDC provider can eliminate this attack vector by disabling username/password authentication.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform automated credential testing attacks against your Fides Admin UI login, potentially leading to unauthorized access to accounts with weak or previously compromised passwords. This could result in account compromise and unauthorized actions within the platform.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Fides to version 2.69.1 or later. For organizations with commercial Fides Enterprise licenses, configure Single Sign-On (SSO) through an OIDC provider such as Azure, Google, or Okta, and disable username/password authentication entirely to eliminate the attack vector. For Fides Open Source users, upgrading to the fixed version is the primary mitigation.