Vulnerability Description
Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd
- https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
- https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
- https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
FAQ
What is CVE-2025-52477?
CVE-2025-52477 is a vulnerability with a CVSS score of 8.6 (HIGH). Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect to...
How severe is CVE-2025-52477?
CVE-2025-52477 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-52477?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.