ghsa-7q62-r88r-j5gw
Vulnerability from github
Published
2025-09-08 20:45
Modified
2025-09-13 04:41
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Fides has a Lack of Brute-Force Protections on Authentication Endpoints
Details

Summary

The Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords.

Details

Fides uses a configurable, system-wide rate limit to control traffic from any single IP address. Because this single limit must be set high enough to accommodate endpoints that receive a large volume of legitimate traffic, it offers only weak protection for the login endpoint. The system is not equipped with more advanced protections tailored specifically for authentication

Impact

Although password complexity requirements and the global rate limit make a traditional brute-force attack against a single account difficult, the lack of authentication-specific protections exposes Fides to more targeted attacks. An attacker could use automated tools to test credentials obtained from data breaches or guess common passwords across multiple user accounts. If an attacker successfully compromises an account, they would gain full access to that user's privileges within the Fides Admin UI.

Patches

The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.

Risk Level

This vulnerability has been assigned a severity of LOW.

This is fundamentally a security hardening issue. While the lack of authentication-specific rate limiting could enable credential stuffing attacks, several factors limit the risk: existing global rate limits provide baseline protection, password complexity requirements prevent trivial brute-force attacks, and successful exploitation requires attackers to already possess valid credentials from external breaches.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.69.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-08T20:45:24Z",
    "nvd_published_at": "2025-09-08T22:15:33Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords.\n\n### Details\n\nFides uses a configurable, system-wide rate limit to control traffic from any single IP address. Because this single limit must be set high enough to accommodate endpoints that receive a large volume of legitimate traffic, it offers only weak protection for the login endpoint. The system is not equipped with more advanced protections tailored specifically for authentication\n\n### Impact\n\nAlthough password complexity requirements and the global rate limit make a traditional brute-force attack against a single account  difficult, the lack of authentication-specific protections exposes Fides to more targeted attacks. An attacker could use automated tools to test credentials obtained from data breaches or guess common passwords across multiple user accounts. If an attacker successfully compromises an account, they would gain full access to that user\u0027s privileges within the Fides Admin UI.\n\n### Patches\n\nThe vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\n\nFor organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.\n\n### Risk Level\n\nThis vulnerability has been assigned a severity of **LOW**.\n\nThis is fundamentally a security hardening issue. While the lack of authentication-specific rate limiting could enable credential stuffing attacks, several factors limit the risk: existing global rate limits provide baseline protection, password complexity requirements prevent trivial brute-force attacks, and successful exploitation requires attackers to already possess valid credentials from external breaches.",
  "id": "GHSA-7q62-r88r-j5gw",
  "modified": "2025-09-13T04:41:12Z",
  "published": "2025-09-08T20:45:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fides has a Lack of Brute-Force Protections on Authentication Endpoints"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.