GHSA-V2P7-4PV4-3WWH
Vulnerability from github – Published: 2025-09-10 20:47 – Updated: 2025-09-10 20:47
VLAI?
Summary
Infrahub: Deleted and expired API tokens can still authenticate
Details
Impact
A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.
Patches
This issue is fixed in versions 1.3.9 and 1.4.5
Workarounds
Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
Severity ?
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "infrahub-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "infrahub-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59036"
],
"database_specific": {
"cwe_ids": [
"CWE-298"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-10T20:47:07Z",
"nvd_published_at": "2025-09-09T22:15:34Z",
"severity": "MODERATE"
},
"details": "### Impact\nA bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.\n\n### Patches\nThis issue is fixed in versions `1.3.9` and `1.4.5`\n\n### Workarounds\nUsers can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.",
"id": "GHSA-v2p7-4pv4-3wwh",
"modified": "2025-09-10T20:47:07Z",
"published": "2025-09-10T20:47:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59036"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228"
},
{
"type": "PACKAGE",
"url": "https://github.com/opsmill/infrahub"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Infrahub: Deleted and expired API tokens can still authenticate"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…