Unauthenticated SSRF in Octo-STS GitHub App Affects Security Token Services
CVE-2025-52477

8.6HIGH

Key Information:

Vendor

Octo-sts

Status
App
Vendor
CVE Published:
26 June 2025

What is CVE-2025-52477?

The Octo-STS GitHub App is susceptible to an unauthenticated SSRF vulnerability, due to a flaw in handling OpenID Connect token inputs. Attackers can exploit this vulnerability by providing malicious tokens that trigger internal network requests. Such requests may inadvertently expose sensitive information, including error logs, to unauthorized users. It is crucial for users of Octo-STS to upgrade to version 0.5.3 or higher, which includes essential sanitization improvements and logging redaction to safeguard against this security threat.

Affected Version(s)

app < 0.5.3

References

https://github.com/octo-sts/app/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/octo-sts/app/security/advisories/GHSA-...
x_refsource_MISC
https://github.com/octo-sts/app/commit/0f177fde54f9318e33...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.