GHSA-8cqv-pj7f-pwpc

Source

https://github.com/advisories/GHSA-8cqv-pj7f-pwpc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8cqv-pj7f-pwpc/GHSA-8cqv-pj7f-pwpc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8cqv-pj7f-pwpc

Aliases

CVE-2025-49825

Published

2025-06-16T17:16:31Z

Modified

2025-06-16T17:59:48.024280Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Teleport allows remote authentication bypass

Details

Impact

A full technical disclosure and open-source patch will be published after the embargo period, ending on June 30th, to allow all users to upgrade.

Teleport security engineers identified a critical security vulnerability that could allow remote authentication bypass of Teleport.

Teleport Cloud Infrastructure and CI/CD build, test, and release infrastructure aren’t affected.

For the full mitigation, upgrade both Proxy and Teleport agents. It is strongly recommend updating clients to the released patch versions as a precaution.

Have questions?

OSS Community: opensource@goteleport.com
Legal: legal@goteleport.com
Security: security@goteleport.com
Customer Support: goteleport.com/support
Media Inquiries: teleport@babelpr.com

Patches

Fixed in versions: 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27, 12.4.35.

These patches are available only on the official Teleport distribution channels.

These versions are designated as Critical Security Exception Versions.

For these specific patch versions of Teleport Community Edition, the Community Edition restrictions are removed on employee count or revenue thresholds, as long as you apply the patch within thirty (30) days of its official release.

Please read the full text of the updated Teleport Community Edition license for details.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T17:16:31Z"
}

References

Affected packages

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

17.0.0

Fixed

17.5.2

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0

Fixed

16.5.12

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0

Fixed

15.5.3

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

14.0.0

Fixed

14.4.1

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

13.0.0

Fixed

13.4.27

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

0.0.11

Fixed

12.4.35

Go / github.com/gravitational/teleport

Package

Name: github.com/gravitational/teleport; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitational/teleport

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.0.0-20250616162021-79b2f26125a1