SAML SSO Vulnerability in Sentry Error Tracking Tool
CVE-2025-22146

9.1CRITICAL

Key Information:

Vendor

Getsentry

Status
Sentry
Vendor
CVE Published:
15 January 2025

What is CVE-2025-22146?

CVE-2025-22146 is a critical vulnerability found within the Sentry error tracking tool, designed for developers to monitor application performance and track errors effectively. This vulnerability specifically pertains to the SAML single sign-on (SSO) implementation within Sentry and can have severe consequences for organizations that use the platform. By exploiting this vulnerability, an attacker could hijack user accounts, granting unauthorized access to sensitive information and functionalities, especially if the target's email address is known. This poses a significant risk to the integrity and confidentiality of user data and overall application security.

Technical Details

The vulnerability arises from a flaw in the SAML SSO configuration of Sentry. An attacker can leverage a malicious SAML Identity Provider to take control of user accounts across organizations utilizing the same Sentry instance. For self-hosted setups, this issue primarily affects those configurations that allow multiple organizations; however, users operating in single-organization mode remain unaffected. The issue was identified and reported through a bug bounty program and has been addressed in a fix released on January 14, 2025. Users are urged to upgrade to version 25.1.0 or higher to mitigate the risk.

Potential impact of CVE-2025-22146

  1. Account Takeover: The vulnerability allows an attacker to gain unauthorized access to user accounts, enabling the potential for malicious activities such as data exfiltration or manipulation.

  2. Data Breaches: Unauthorized access could expose sensitive application data and personal information, risking compliance violations and damaging the organization's reputation.

  3. Operational Disruption: The compromise of user accounts can lead to disruptions in application monitoring and error tracking processes, ultimately impacting the overall performance and reliability of the application infrastructure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

sentry >= 21.12.0, < 25.1.0

References

https://github.com/getsentry/sentry/security/advisories/G...
x_refsource_CONFIRM
https://github.com/getsentry/sentry/pull/83407
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.