IP-based Rate Limiting Flaw in Fides Open-Source Privacy Platform
CVE-2025-57815

1.7LOW

Key Information:

Vendor: Ethyca
Status: Fides
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-57815?

The Fides Admin UI, part of the open-source privacy engineering platform, is susceptible to a vulnerability that stems from an inadequate IP-based rate limiting mechanism for its login endpoint. This flaw enables attackers to perform various forms of credential testing attacks, including credential stuffing and password spraying. Accounts utilizing weak passwords or those previously compromised are particularly at risk. To mitigate this issue, version 2.69.1 has introduced improvements, including the incorporation of anti-automation controls. For users with a commercial Fides Enterprise license, leveraging Single Sign-On (SSO) through an OIDC provider can fully eliminate the risk by disabling username/password authentication. However, this important functionality is not available for open-source users.

Affected Version(s)

fides < 2.69.1

References

https://github.com/ethyca/fides/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/ethyca/fides/commit/59903c195e2f9f8915...

x_refsource_MISC

https://github.com/ethyca/fides/releases/tag/2.69.1

x_refsource_MISC

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Aug 20, 2025

Ethyca

What is CVE-2025-57815?

Affected Version(s)

References

CVSS V4

Timeline