CVE-2025-57817

moderate-risk

Published 2025-09-08

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Fides

Affected Vendors

Ethyca

References (3)

Patch https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452

Release Notes https://github.com/ethyca/fides/releases/tag/2.69.1

Vendor Advisory https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal