CVE-2025-57816
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-09-10

Assigner: GitHub, Inc.

Description
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-09-10
Generated
2026-06-17
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57816
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ethyca fides to 2.69.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Fides Webserver API's built-in IP-based rate limiting prior to version 2.69.1. The rate limiting is ineffective in environments using CDNs, proxies, or load balancers because it applies limits based on infrastructure IPs rather than the actual client IPs. Additionally, rate limit counters are stored in-memory instead of a shared store, allowing attackers to bypass rate limits and potentially cause denial of service. The issue only affects deployments relying on Fides's built-in rate limiting and is fixed in version 2.69.1.

Impact Analysis

An attacker can bypass the intended rate limits on the Fides Webserver API, potentially causing a denial of service by overwhelming the system. This can disrupt service availability for legitimate users. The impact is limited to deployments that rely solely on Fides's built-in rate limiting and do not use external rate limiting solutions.

Mitigation Strategies

Upgrade Fides to version 2.69.1 or later to fix the ineffective built-in IP-based rate limiting. If upgrading is not immediately possible, implement external rate limiting at the infrastructure level using a Web Application Firewall (WAF), API Gateway, or similar technology, as there are no application-level workarounds.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart