CVE-2025-61779
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated (had the right key). This allowed any kbs-client to actually change the attestation policy. Version 0.15.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61779
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
confidential_containers trustee 0.11.0
confidential_containers trustee 0.15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2025-61779 is in the Confidential Containers' Trustee project, specifically in the 'attestation-policy' endpoint. Before version 0.15.0, this endpoint did not verify if the requesting kbs-client was properly authenticated as an administrator. This lack of authentication allowed any kbs-client, even those without the correct key, to change the attestation policy arbitrarily. The issue was fixed by adding proper admin authentication checks to ensure only authorized users can modify the attestation policy. [1, 2, 3]

Impact Analysis

This vulnerability can severely impact security by allowing unauthorized users to modify the attestation policy within the Trustee component. Since attestation policies are critical for verifying and trusting confidential guests, unauthorized changes could compromise the integrity and trustworthiness of the system, potentially leading to unauthorized access or exposure of sensitive secrets. [1, 3]

Detection Guidance

Detection involves monitoring attempts to access or modify the attestation-policy endpoint without proper authentication. You can inspect logs for POST requests to the attestation-policy endpoint from unauthorized kbs-clients. For example, using curl to test the endpoint without authentication: curl -X POST https://<trustee-server>/attestation-policy -d '<policy-data>' -v and checking if the request is accepted. Additionally, network monitoring tools can be used to detect unauthorized POST requests to this endpoint. [1, 3]

Mitigation Strategies

Immediately upgrade the confidential-containers/trustee project to version 0.15.0 or later, where the attestation-policy endpoint enforces administrative authentication. Until the upgrade, restrict network access to the attestation-policy endpoint to trusted clients only, and monitor for unauthorized access attempts. Applying the fix from pull request #957 ensures that only authenticated administrators can modify the attestation policy. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart