CVE-2025-52477

{"id": "CVE-2025-52477", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-52477", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-27T13:16:36.251923Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "octo-sts", "product": "app", "versions": [{"status": "affected", "version": "< 0.5.3"}]}]}], "published": "2025-06-26T17:15:30.897", "references": [{"url": "https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd", "source": "security-advisories@github.com"}, {"url": "https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92", "source": "security-advisories@github.com"}, {"url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq", "source": "security-advisories@github.com"}, {"url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq", "source": "security-advisories@github.com"}, {"url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq", "source": "security-advisories@github.com"}, {"url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging."}, {"lang": "es", "value": "Octo-STS es una aplicaci\u00f3n de GitHub que funciona como un Servicio de Token de Seguridad (STS) para la API de GitHub. Las versiones de Octo-STS anteriores a la v0.5.3 son vulnerables a SSRF no autenticado al abusar de los campos de los tokens de OpenID Connect. Se ha demostrado que los tokens maliciosos activan solicitudes de red internas que podr\u00edan reflejar registros de errores con informaci\u00f3n confidencial. Actualice a la v0.5.3 para resolver este problema. Esta versi\u00f3n incluye conjuntos de parches para sanear la entrada y redactar los registros."}], "lastModified": "2026-06-17T09:36:34.070", "sourceIdentifier": "security-advisories@github.com"}