CVE-2025-58445

EUVD-2025-27088
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service's security posture. This issue does not currently have a fix.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
runatlantisatlantis
𝑥
≤ 0.35.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7
https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7