CVE-2025-57817

EUVD-2025-27268
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
ethycafides
𝑥
< 2.69.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452
https://github.com/ethyca/fides/releases/tag/2.69.1
https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr