8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52477

GHSA ID

GHSA-h3qp-hwvr-9xcq

EPSS Score

0.10896%

CWE

CWE-918

Published

6/26/2025

Updated

6/26/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52477

CVE-2025-52477: Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens

Summary

Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information.

Please upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.

Many thanks to @vicevirus for reporting this issue and for assisting with remediation review.

References

https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52477

GHSA ID

GHSA-h3qp-hwvr-9xcq

EPSS Score

0.10896%

CWE

CWE-918

Published

6/26/2025

Updated

6/26/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/octo-sts/app	go	<= 0.5.2	0.5.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an unauthenticated SSRF in Octo-STS, which can be exploited by sending a malicious OpenID Connect token. The patches address this by adding input validation and redacting sensitive information from logs. The analysis of the commits reveals that the Exchange function in pkg/octosts/octosts.go, the CheckToken function in pkg/octosts/trust_policy.go, and the Get function in pkg/provider/provider.go were all processing the OIDC token without proper validation, making them vulnerable to SSRF. The new functions in pkg/oidcvalidate/validate.go are the mitigation, not the vulnerability. The Exchange function is the main entry point for processing the token and is therefore the primary vulnerable function. The CheckToken function also processes the token and is vulnerable. The Get function was vulnerable to SSRF during OIDC discovery.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry O*to-STS v*rsions ***or* v*.*.* *r* vuln*r**l* to un*ut**nti**t** SSR* *y **usin* *i*l*s in Op*nI* *onn**t tok*ns. M*li*ious tok*ns w*r* s*own to tri***r int*rn*l n*twork r*qu*sts w*i** *oul* r**l**t *rror lo*s wit* s*nsitiv* in*orm*tion

Reasoning

T** vuln*r**ility is *n un*ut**nti**t** SSR* in O*to-STS, w*i** **n ** *xploit** *y s*n*in* * m*li*ious Op*nI* *onn**t tok*n. T** p*t***s ***r*ss t*is *y ***in* input v*li**tion *n* r****tin* s*nsitiv* in*orm*tion *rom lo*s. T** *n*lysis o* t** *ommi

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-52477: Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens

Summary

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI