10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-44005

CVE-2025-44005: Step CA Has Authorization Bypass in ACME and SCEP Provisioners

Summary

A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners. All operators running these provisioners should upgrade to the latest release (v0.29.0) immediately.

The issue was discovered and disclosed by a research team during a security review. There is no evidence of active exploitation.

To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.

Embargo List

If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.

Acknowledgements

This issue was identified and reported by Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG)

Stay safe, and thank you for helping us keep the ecosystem secure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-44005

CVE-2025-44005:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/smallstep/certificates	go	<= 0.28.4	0.29.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an authorization bypass in Step CA's ACME and SCEP provisioners. The root cause is a flaw in the token authorization logic within the authority.UseToken function. This function was responsible for validating and marking tokens as used but failed to properly handle cases where a provisioner, such as ACME or SCEP, does not support token-based authentication.

The GetTokenID method on these provisioners would return an error, but the calling UseToken function would ignore it, allowing the request to proceed without proper authorization. This could be exploited to bypass authorization checks for operations like certificate renewal and revocation.

The fix addresses this in several ways:

The GetTokenID methods for ACME and SCEP provisioners were modified to return a specific error, ErrTokenFlowNotSupported.
The UseToken function was updated to recognize this specific error and reject any request where the provisioner does not support the token flow.
An additional check was added to the Revoke function to ensure the serial number in the request matches the one in the token, preventing unauthorized revocations.

The identified vulnerable functions are those central to the token authorization flow that either contained the flawed logic or called the vulnerable function, as well as the Revoke function which was missing a critical validation check.

Vulnerable functions

authority.UseToken

authority/authorize.go

The original implementation of `UseToken` incorrectly handled errors from `prov.GetTokenID(token)`. It would only proceed if `err == nil`, effectively ignoring cases where a provisioner did not support token-based authentication (like ACME and SCEP), which would return an error. This allowed authorization to be bypassed. The patched version explicitly checks for `provisioner.ErrTokenFlowNotSupported` and denies the request, closing the security hole.

authority.authorizeToken

authority/authorize.go

This function is a caller of the vulnerable `UseToken` function. By passing a token from an unsupported provisioner (like ACME or SCEP), an attacker could bypass the authorization check within this function.

authority.AuthorizeRenewToken

authority/authorize.go

This function, used for certificate renewal, was also a caller of the vulnerable `UseToken` function. This could have allowed an attacker to renew certificates without proper authorization.

authority.Revoke

authority/tls.go

The `Revoke` function was missing a check to ensure that the serial number in the revocation request matched the serial number in the authorization token (`claims.Subject`). This vulnerability could allow an attacker to revoke a certificate they do not own by providing a valid token for a different certificate.

provisioner.ACME.GetTokenID

authority/provisioner/acme.go

The ACME provisioner did not support token-based authentication, but it returned a generic error that was ignored by the `UseToken` function. The patch changes this to return a specific `ErrTokenFlowNotSupported` error, which is now correctly handled by the updated `UseToken` function. While not vulnerable in itself, this function was a key component of the bypass.

provisioner.SCEP.GetTokenID

authority/provisioner/scep.go

Similar to the ACME provisioner, the SCEP provisioner returned a generic error for the unsupported `GetTokenID` method. This was a contributing factor to the authorization bypass vulnerability in `UseToken`. The fix ensures it returns a specific, actionable error.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-44005: Step CA Has Authorization Bypass in ACME and SCEP Provisioners

Summary

Embargo List

Acknowledgements

CVE-2025-44005:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-44005: Step CA Has Authorization Bypass in ACME and SCEP Provisioners

Summary

Embargo List

Acknowledgements

10

10

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI