Platform
go
Component
github.com/octo-sts/app
Fixed in
0.5.4
0.5.3
CVE-2025-52477 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Octo STS, a Go-based OpenID Connect token validation library. This flaw allows an unauthenticated attacker to manipulate requests originating from the application, potentially accessing internal resources or external services without proper authorization. The vulnerability affects versions prior to 0.5.3 and has been resolved with the release of version 0.5.3.
The SSRF vulnerability in Octo STS presents a significant risk because it bypasses authentication mechanisms. An attacker can craft malicious OpenID Connect tokens containing crafted URLs, tricking the application into making requests to arbitrary internal or external endpoints. This could lead to unauthorized access to sensitive data stored within the organization's network, such as configuration files, database credentials, or internal APIs. Furthermore, the attacker could potentially leverage this SSRF to scan internal networks, conduct port scanning, or even interact with other vulnerable services within the infrastructure, expanding the attack surface and potentially leading to lateral movement. The impact is amplified if Octo STS is used in a critical authentication flow, as a successful exploit could compromise the entire system.
CVE-2025-52477 was publicly disclosed on 2025-07-28. The vulnerability's SSRF nature suggests a potentially medium exploitation probability, as SSRF vulnerabilities are often relatively easy to exploit once identified. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-52477 is to immediately upgrade Octo STS to version 0.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on all OpenID Connect tokens processed by the application. Specifically, validate and sanitize the iss, aud, and sub claims to prevent malicious URLs from being included in the token. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious URLs or patterns indicative of SSRF attacks. Monitor application logs for unusual outbound requests originating from Octo STS, which could indicate exploitation attempts. After upgrade, confirm the fix by attempting to craft a malicious OpenID Connect token and verifying that the application no longer makes unauthorized requests.
Update Octo-STS to version 0.5.3 or higher. This version includes patches to sanitize input and redact logging, mitigating the SSRF vulnerability. The update can be performed by downloading the new version and replacing the existing files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52477 is a HIGH severity SSRF vulnerability affecting Octo STS versions before 0.5.3. An attacker can abuse OpenID Connect tokens to make unauthorized requests, potentially accessing internal resources.
If you are using Octo STS versions prior to 0.5.3, you are vulnerable. Verify your version and upgrade immediately.
Upgrade Octo STS to version 0.5.3 or later. If immediate upgrade is not possible, implement strict input validation on OpenID Connect tokens and configure a WAF.
No active exploitation has been confirmed as of this writing, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official Octo STS project repository and associated security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.