CVE-2025-59036
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| infrahub | infrahub-server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-298 | A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a bug in the authentication logic of Infrahub versions prior to 1.3.9 and 1.4.5, where API tokens that were deleted or expired are still considered valid. As a result, any API token linked to an active user account can still authenticate successfully, even if it should no longer be valid.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized access to the system using API tokens that should have been invalidated. This could lead to unauthorized actions or data access by attackers or users holding expired or deleted tokens, potentially compromising system integrity and confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should delete or deactivate the user accounts associated with any deleted or expired API tokens to prevent those tokens from authenticating. Additionally, upgrade Infrahub to version 1.3.9 or 1.4.5 or later where the issue is fixed.