cvelistv5 - cve-2025-65109

CVE-2025-65109 (GCVE-0-2025-65109)

Vulnerability from cvelistv5 – Published: 2025-11-21 21:56 – Updated: 2025-11-24 17:17

Summary

Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

CWE

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

Assigner

GitHub_M

References

URL

Tags

	https://github.com/mindersec/minder/security/advi…	x_refsource_CONFIRM
	https://github.com/mindersec/minder/commit/f77040…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	mindersec	minder	Affected: Helm = 0.20241106.3386+ref.2507dbf Affected: Go >= 0.0.72, < 0.0.84

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65109",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-24T17:17:34.507772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-24T17:17:41.932Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minder",
          "vendor": "mindersec",
          "versions": [
            {
              "status": "affected",
              "version": "Helm = 0.20241106.3386+ref.2507dbf"
            },
            {
              "status": "affected",
              "version": "Go \u003e= 0.0.72, \u003c 0.0.84"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-830",
              "description": "CWE-830: Inclusion of Web Functionality from an Untrusted Source",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T21:56:53.667Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
        },
        {
          "name": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
        }
      ],
      "source": {
        "advisory": "GHSA-6xvf-4vh9-mw47",
        "discovery": "UNKNOWN"
      },
      "title": "Minder does not sandbox http.send in Rego programs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65109",
    "datePublished": "2025-11-21T21:56:53.667Z",
    "dateReserved": "2025-11-17T20:55:34.694Z",
    "dateUpdated": "2025-11-24T17:17:41.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-65109\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-21T22:16:33.507\",\"lastModified\":\"2025-11-25T22:16:42.557\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-830\"}]}],\"references\":[{\"url\":\"https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-65109\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-24T17:17:34.507772Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-24T17:17:38.827Z\"}}], \"cna\": {\"title\": \"Minder does not sandbox http.send in Rego programs\", \"source\": {\"advisory\": \"GHSA-6xvf-4vh9-mw47\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"mindersec\", \"product\": \"minder\", \"versions\": [{\"status\": \"affected\", \"version\": \"Helm = 0.20241106.3386+ref.2507dbf\"}, {\"status\": \"affected\", \"version\": \"Go \u003e= 0.0.72, \u003c 0.0.84\"}]}], \"references\": [{\"url\": \"https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47\", \"name\": \"https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\", \"name\": \"https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-830\", \"description\": \"CWE-830: Inclusion of Web Functionality from an Untrusted Source\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-21T21:56:53.667Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-65109\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-24T17:17:41.932Z\", \"dateReserved\": \"2025-11-17T20:55:34.694Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-21T21:56:53.667Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-6XVF-4VH9-MW47

Vulnerability from github – Published: 2025-11-20 21:57 – Updated: 2025-11-20 21:57

Summary

Minder does not sandbox http.send in Rego programs

Details

Impact

Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).

Patches

https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8

Workarounds

Users should avoid deploying Minder with access to sensitive resources. Unfortunately, this could include access to systems like OpenFGA or Keycloak, depending on the deployment configuration.

References

Sample ruletype:

version: v1
type: rule-type
name: test-http-send
display_name: Test that we can call http.send
short_failure_message: Failed http.send
severity:
  value: medium
context:
  provider: github
description: |
  ...
guidance: |
  ....
def:
  in_entity: repository
  rule_schema:
    type: object
    properties: {}
  ingest:
    type: git
    git: {}
  eval:
    type: rego
    violation_format: text
    rego:
      type: constraints
      def: |
        package minder

        import rego.v1

        violations contains {"msg": "Check-execution"}

        resp := http.send({
          "method": "GET",
          "url": "http://openfga:8080/",
          "raise_error": false,
        })

        violations contains {"msg": sprintf("Response: %s", [resp.status])}

        details := sprintf("High score: %s", [resp.body.summary])

        violations contains {"msg": sprintf("Response body: %s", [resp.body]) } if {
          resp.status_code > 0
        }

Example policy:

version: v1
type: profile
name: Test-HTTP-send
display_name: Test if we can do http.send
context:
  provider: github
alert: "off"
remediate: "off"
repository:
  - type: test-http-send
    def: {}

Evaluation results:

$ minder profile status list -n test-http-send --json
{
  "profileStatus": {
    "profileId": "3b3e0918-4deb-49cc-b4c9-1d1d912cf784",
    "profileName": "Test-HTTP-send",
    "profileStatus": "failure",
    "lastUpdated": "2024-10-31T03:44:01.456359Z"
  },
  "ruleEvaluationStatus": [
    {
      "profileId": "3b3e0918-4deb-49cc-b4c9-1d1d912cf784",
      "ruleId": "c0ebac2c-cfe2-4a98-b0a6-d6971209653e",
      "ruleName": "test-http-send",
      "entity": "repository",
      "status": "failure",
      "lastUpdated": "2024-10-31T03:44:01.456359Z",
      "entityInfo": {
        "entity_id": "a7f7a4bc-4430-4e9a-86a9-ffa026db6343",
        "entity_type": "repository",
        "name": "a-random-sandbox/colorls",
        "provider": "github-app-a-random-sandbox",
        "repo_name": "colorls",
        "repo_owner": "a-random-sandbox",
        "repository_id": "a7f7a4bc-4430-4e9a-86a9-ffa026db6343"
      },
      "details": "Multiple issues:\n* Check-execution\n* Response body: {\"code\": \"undefined_endpoint\", \"message\": \"Not Found\"}\n* Response: 404 Not Found\n",
      "guidance": "....\n",
      "remediationStatus": "skipped",
      "remediationLastUpdated": "2024-10-31T03:44:01.456359Z",
      "ruleTypeName": "test-http-send",
      "ruleDescriptionName": "Test that we can call http.send",
      "alert": {
        "status": "skipped",
        "lastUpdated": "2024-10-31T03:44:01.456359Z"
      },
      "ruleDisplayName": "Test that we can call http.send",
      "releasePhase": "RULE_TYPE_RELEASE_PHASE_ALPHA"
    }
  ]
}

Severity ?

8.5 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.83"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mindersec/minder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.72"
            },
            {
              "fixed": "0.0.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-830"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-20T21:57:01Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nMinder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).\n\n### Patches\n\nhttps://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\n\n### Workarounds\n\nUsers should avoid deploying Minder with access to sensitive resources.  Unfortunately, this could include access to systems like OpenFGA or Keycloak, depending on the deployment configuration.\n\n### References\n\nSample ruletype:\n\n```yaml\nversion: v1\ntype: rule-type\nname: test-http-send\ndisplay_name: Test that we can call http.send\nshort_failure_message: Failed http.send\nseverity:\n  value: medium\ncontext:\n  provider: github\ndescription: |\n  ...\nguidance: |\n  ....\ndef:\n  in_entity: repository\n  rule_schema:\n    type: object\n    properties: {}\n  ingest:\n    type: git\n    git: {}\n  eval:\n    type: rego\n    violation_format: text\n    rego:\n      type: constraints\n      def: |\n        package minder\n\n        import rego.v1\n\n        violations contains {\"msg\": \"Check-execution\"}\n\n        resp := http.send({\n          \"method\": \"GET\",\n          \"url\": \"http://openfga:8080/\",\n          \"raise_error\": false,\n        })\n\n        violations contains {\"msg\": sprintf(\"Response: %s\", [resp.status])}\n\n        details := sprintf(\"High score: %s\", [resp.body.summary])\n\n        violations contains {\"msg\": sprintf(\"Response body: %s\", [resp.body]) } if {\n          resp.status_code \u003e 0\n        }\n```\n\nExample policy:\n\n```yaml\nversion: v1\ntype: profile\nname: Test-HTTP-send\ndisplay_name: Test if we can do http.send\ncontext:\n  provider: github\nalert: \"off\"\nremediate: \"off\"\nrepository:\n  - type: test-http-send\n    def: {}\n```\n\nEvaluation results:\n\n```sh\n$ minder profile status list -n test-http-send --json\n{\n  \"profileStatus\": {\n    \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n    \"profileName\": \"Test-HTTP-send\",\n    \"profileStatus\": \"failure\",\n    \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n  },\n  \"ruleEvaluationStatus\": [\n    {\n      \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n      \"ruleId\": \"c0ebac2c-cfe2-4a98-b0a6-d6971209653e\",\n      \"ruleName\": \"test-http-send\",\n      \"entity\": \"repository\",\n      \"status\": \"failure\",\n      \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n      \"entityInfo\": {\n        \"entity_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\",\n        \"entity_type\": \"repository\",\n        \"name\": \"a-random-sandbox/colorls\",\n        \"provider\": \"github-app-a-random-sandbox\",\n        \"repo_name\": \"colorls\",\n        \"repo_owner\": \"a-random-sandbox\",\n        \"repository_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\"\n      },\n      \"details\": \"Multiple issues:\\n* Check-execution\\n* Response body: {\\\"code\\\": \\\"undefined_endpoint\\\", \\\"message\\\": \\\"Not Found\\\"}\\n* Response: 404 Not Found\\n\",\n      \"guidance\": \"....\\n\",\n      \"remediationStatus\": \"skipped\",\n      \"remediationLastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n      \"ruleTypeName\": \"test-http-send\",\n      \"ruleDescriptionName\": \"Test that we can call http.send\",\n      \"alert\": {\n        \"status\": \"skipped\",\n        \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n      },\n      \"ruleDisplayName\": \"Test that we can call http.send\",\n      \"releasePhase\": \"RULE_TYPE_RELEASE_PHASE_ALPHA\"\n    }\n  ]\n}\n```",
  "id": "GHSA-6xvf-4vh9-mw47",
  "modified": "2025-11-20T21:57:01Z",
  "published": "2025-11-20T21:57:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mindersec/minder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Minder does not sandbox http.send in Rego programs"
}

FKIE_CVE-2025-65109

Vulnerability from fkie_nvd - Published: 2025-11-21 22:16 - Updated: 2025-11-25 22:16

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8
	security-advisories@github.com	https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84."
    }
  ],
  "id": "CVE-2025-65109",
  "lastModified": "2025-11-25T22:16:42.557",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-21T22:16:33.507",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-830"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-65109 (GCVE-0-2025-65109)

GHSA-6XVF-4VH9-MW47

Impact

Patches

Workarounds

References

FKIE_CVE-2025-65109

Tags

Sightings

Nomenclature