CVE-2025-57816
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ethyca | fides | to 2.69.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-799 | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Fides Webserver API's built-in IP-based rate limiting prior to version 2.69.1. The rate limiting is ineffective in environments using CDNs, proxies, or load balancers because it applies limits based on infrastructure IPs rather than the actual client IPs. Additionally, rate limit counters are stored in-memory instead of a shared store, allowing attackers to bypass rate limits and potentially cause denial of service. The issue only affects deployments relying on Fides's built-in rate limiting and is fixed in version 2.69.1.
How can this vulnerability impact me? :
An attacker can bypass the intended rate limits on the Fides Webserver API, potentially causing a denial of service by overwhelming the system. This can disrupt service availability for legitimate users. The impact is limited to deployments that rely solely on Fides's built-in rate limiting and do not use external rate limiting solutions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Fides to version 2.69.1 or later to fix the ineffective built-in IP-based rate limiting. If upgrading is not immediately possible, implement external rate limiting at the infrastructure level using a Web Application Firewall (WAF), API Gateway, or similar technology, as there are no application-level workarounds.