/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CVE-2025-52477

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-52477

Severity

8.6

High

CVSS V3

Summary

Octo-STS Vulnerable to Unauthenticated SSRF with HTTP Response Reflection in OIDC Flow

Description

Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

References

  • https://images.chainguard.dev/security/CGA-r6mm-wmg3-7mrr
  • https://github.com/advisories/GHSA-h3qp-hwvr-9xcq
  • https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd
  • https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
  • https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal