Ineffective IP-Based Rate Limiting in Fides Webserver API by Ethyca
CVE-2025-57816

6.3MEDIUM

Key Information:

Vendor

Ethyca

Status
Fides
Vendor
CVE Published:
8 September 2025

What is CVE-2025-57816?

The Fides Webserver API, developed by Ethyca, displays a vulnerability in its built-in IP-based rate limiting mechanism. Prior to version 2.69.1, the API fails to apply rate limits correctly when deployed behind CDNs, proxies, or load balancers. It mistakenly uses the IP addresses of directly connected infrastructure rather than the actual client IPs for rate limiting. Additionally, the system retains rate limit counters in memory rather than utilizing a shared database, enabling attackers to exploit this misconfiguration. This allows potential circumvention of intended limitations, leading to a risk of denial of service. Users are advised to upgrade to version 2.69.1 or implement external rate limiting solutions such as WAFs or API gateways for enhanced protection.

Affected Version(s)

fides < 2.69.1

References

https://github.com/ethyca/fides/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/ethyca/fides/commit/59903c195e2f9f8915...
x_refsource_MISC
https://github.com/ethyca/fides/releases/tag/2.69.1
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57816 : Ineffective IP-Based Rate Limiting in Fides Webserver API by Ethyca