CVE-2025-64708
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-19

Last updated on: 2025-11-20

Assigner: GitHub, Inc.

Description
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-19
Last Modified
2025-11-20
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64708
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
goauthentik authentik From 2025.8.0 (inc) to 2025.8.5 (exc)
goauthentik authentik From 2025.10.0 (inc) to 2025.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in authentik, an open-source Identity Provider, involves invitations being considered valid even if they have expired. The system relies on background tasks to clean up expired invitations every 5 minutes, but if there is a backlog, expired invitations may remain valid longer than intended. This allows potentially expired invitations to be used until the cleanup task runs. Versions 2025.8.5 and 2025.10.2 fix this issue by addressing the validation of invitations. A workaround is to create a policy that explicitly checks invitation validity and denies access if the invitation is expired.

Impact Analysis

This vulnerability can impact you by allowing expired invitations to be used to gain access to the system, potentially bypassing intended access controls. This could lead to unauthorized access if expired invitations are exploited before the cleanup task removes them, especially in scenarios with a large backlog of tasks delaying cleanup.

Mitigation Strategies

To mitigate this vulnerability immediately, you can create a policy that explicitly checks whether the invitation is still valid, bind this policy to the invitation stage on the invitation flow, and deny access if the invitation is not valid. Additionally, upgrading authentik to versions 2025.8.5 or 2025.10.2 will fix the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart