QwikSec

Security Database

CVE

CWE

Training

CVE-2025-52477

Published: Jun 26, 2025

Modified: Jun 27, 2025

PUBLISHED

CVSS v3.1

8.6

HIGH

Description

Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

Vendor	Product	Versions
octo-sts	app	affected `< 0.5.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq

x_refsource_CONFIRM

https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq

x_refsource_MISC

https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd

x_refsource_MISC

https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.