CVE-2025-67846
low-risk
Published 2025-12-19
The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Mintlify
Affected Vendors
References (4)
Issue Tracking
https://news.ycombinator.com/item?id=46317098
Release Notes
https://www.mintlify.com/docs/changelog
21
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal