ghsa-h3qp-hwvr-9xcq
Vulnerability from github
Published
2025-06-26 18:53
Modified
2025-06-26 18:53
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens
Details

Summary

Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information.

Please upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

Many thanks to @vicevirus for reporting this issue and for assisting with remediation review.

References

  • https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
  • https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
  • https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/octo-sts/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T18:53:54Z",
    "nvd_published_at": "2025-06-26T17:15:30Z",
    "severity": "HIGH"
  },
  "details": "##  Summary\n\nOcto-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. \n\nPlease upgrade to v0.5.3 to resolve this issue. This version includes patch sets to [sanitize input](https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92) and [redact logging](https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd).\n\nMany thanks to @vicevirus for reporting this issue and for assisting with remediation review.\n\n## References\n\n- https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq\n- https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92\n- https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd",
  "id": "GHSA-h3qp-hwvr-9xcq",
  "modified": "2025-06-26T18:53:54Z",
  "published": "2025-06-26T18:53:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octo-sts/app"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.