Home > Vulnerability Database > CVE-2025-52477

Mend.io Vulnerability Database

CVE-2025-52477

Good to know:

Date: June 26, 2025

Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

Severity Score

8.6

Related Resources (6)

Url: https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92

Url: https://github.com/octo-sts/app

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-52477

Url: https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq

Url: https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd

Url: https://www.mend.io/vulnerability-database/CVE-2025-52477

Severity Score

8.6

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/octo-sts/app - v0.5.3;github.com/octo-sts/app - v0.5.3

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-52477

Good to know:

Date: June 26, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?