GHSA-H3QP-HWVR-9XCQ

Vulnerability from github – Published: 2025-06-26 18:53 – Updated: 2025-06-26 18:53
VLAI?
Summary
Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens
Details

Summary

Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information.

Please upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

Many thanks to @vicevirus for reporting this issue and for assisting with remediation review.

References

  • https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
  • https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
  • https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/octo-sts/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T18:53:54Z",
    "nvd_published_at": "2025-06-26T17:15:30Z",
    "severity": "HIGH"
  },
  "details": "##  Summary\n\nOcto-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. \n\nPlease upgrade to v0.5.3 to resolve this issue. This version includes patch sets to [sanitize input](https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92) and [redact logging](https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd).\n\nMany thanks to @vicevirus for reporting this issue and for assisting with remediation review.\n\n## References\n\n- https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq\n- https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92\n- https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd",
  "id": "GHSA-h3qp-hwvr-9xcq",
  "modified": "2025-06-26T18:53:54Z",
  "published": "2025-06-26T18:53:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octo-sts/app"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.