Description
A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.
Problem types
Authentication Bypass by Alternate Name
Product status
Any version before 4.0.2
0.5.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
4.0.2-3 (rpm) before *
Timeline
| 2025-07-31: | Reported to Red Hat. |
| 2025-08-20: | Made public. |
References
access.redhat.com/errata/RHSA-2025:14919 (RHSA-2025:14919)
access.redhat.com/security/cve/CVE-2025-8415
bugzilla.redhat.com/show_bug.cgi?id=2385773 (RHBZ#2385773)
github.com/cryostatio/cryostat/pull/1001
github.com/cryostatio/cryostat/releases/tag/v4.0.2
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
