CVE-2025-64708

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830	Patch
https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

History

20 Nov 2025, 18:56

Type	Values Removed	Values Added
First Time		Goauthentik authentik Goauthentik
CPE		cpe:2.3:a:goauthentik:authentik::::::::
References	~~() https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830 -~~	() https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830 - Patch
References	~~() https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc -~~	() https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc - Patch, Vendor Advisory

19 Nov 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-19 17:15

Updated : 2025-11-20 18:56

NVD link : CVE-2025-64708

Mitre link : CVE-2025-64708

CVE.ORG link : CVE-2025-64708

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-64708", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-11-19T17:15:52.220", "references": [{"url": "https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid."}], "lastModified": "2025-11-20T18:56:40.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F21EB7E-BB70-4943-9906-475C772482E9", "versionEndExcluding": "2025.8.5", "versionStartIncluding": "2025.8.0"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33A96DEB-01A3-42C1-B17B-A6F65CBA55C0", "versionEndExcluding": "2025.10.2", "versionStartIncluding": "2025.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}