Vulnerability Description
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ethyca | Fides | < 2.69.1 |
Related Weaknesses (CWE)
References
- https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5cPatch
- https://github.com/ethyca/fides/releases/tag/2.69.1Release Notes
- https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gwVendor Advisory
FAQ
What is CVE-2025-57815?
CVE-2025-57815 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-aut...
How severe is CVE-2025-57815?
CVE-2025-57815 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-57815?
Check the references section above for vendor advisories and patch information. Affected products include: Ethyca Fides.