CVE-2025-52477

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-52477
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52477.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52477
Aliases
Related
Published
2025-06-26T17:15:30Z
Modified
2025-06-27T11:02:06.614932Z
Summary
[none]
Details

Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

References

Affected packages

Git / github.com/octo-sts/app

Affected ranges

Type
GIT
Repo
https://github.com/octo-sts/app
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2