CVE-2025-57817 | THREATINT

Description

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.

PUBLISHED Reserved 2025-08-20 | Published 2025-09-08 | Updated 2025-09-09 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 2.69.1

affected

References

github.com/.../fides/security/advisories/GHSA-hjfh-p8f5-24wr

github.com/...ommit/2ffd125e1089a09b84c27fb5279a05960cbf2452

github.com/ethyca/fides/releases/tag/2.69.1

cve.org (CVE-2025-57817)

nvd.nist.gov (CVE-2025-57817)

Download JSON