CVE-2025-57817
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ethyca | fides | to 2.69.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Fides, an open-source privacy engineering platform, involves improper authorization in the OAuth client creation and update endpoints of the Fides Webserver API prior to version 2.69.1. Specifically, users with high-level permissions to create or update clients can escalate their privileges to owner-level due to insufficient scope authorization checks.
How can this vulnerability impact me? :
The vulnerability allows highly privileged users to escalate their privileges to owner-level, potentially giving them full control over OAuth clients and associated data. This could lead to unauthorized access, modification, or misuse of sensitive information within the Fides platform.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Fides to version 2.69.1 or later, as this version fixes the improper authorization issue in the OAuth client creation and update endpoints. There are no known workarounds available.