Octo STS SSRF no autenticado al abusar de campos en tokens de OpenID Connect en github.com/octo-sts/app

The SSRF vulnerability in Octo STS presents a significant risk because it bypasses authentication mechanisms. An attacker can craft malicious OpenID Connect tokens containing crafted URLs, tricking the application into making requests to arbitrary internal or external endpoints. This could lead to unauthorized access to sensitive data stored within the organization's network, such as configuration files, database credentials, or internal APIs. Furthermore, the attacker could potentially leverage this SSRF to scan internal networks, conduct port scanning, or even interact with other vulnerable services within the infrastructure, expanding the attack surface and potentially leading to lateral movement. The impact is amplified if Octo STS is used in a critical authentication flow, as a successful exploit could compromise the entire system.

Organizations that rely on Octo STS for OpenID Connect token validation, particularly those with internal services accessible via HTTP or HTTPS, are at risk. This includes applications that integrate with identity providers and use Octo STS to verify user authentication. Environments with limited network segmentation or inadequate WAF protection are especially vulnerable.

• go: Inspect application code for instances where Octo STS is used to validate OpenID Connect tokens. Look for code that directly uses the token's claims to construct outbound URLs without proper validation. • generic web: Monitor outbound network traffic from the application for requests to unexpected or internal IP addresses. Use tools like tcpdump or network intrusion detection systems (NIDS) to identify suspicious patterns. • linux / server: Examine application logs for errors related to token validation or unexpected outbound requests. Use journalctl to filter for relevant log entries.

journalctl -u your_app_service -f | grep "Octo STS" | grep "URL"

1. 2025-07-28Disclosure

   disclosure

1. Reservado2025-06-17
2. Publicada2025-07-28
3. Modificada2026-02-04
4. EPSS actualizado2026-03-23

The primary mitigation for CVE-2025-52477 is to immediately upgrade Octo STS to version 0.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on all OpenID Connect tokens processed by the application. Specifically, validate and sanitize the iss, aud, and sub claims to prevent malicious URLs from being included in the token. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious URLs or patterns indicative of SSRF attacks. Monitor application logs for unusual outbound requests originating from Octo STS, which could indicate exploitation attempts. After upgrade, confirm the fix by attempting to craft a malicious OpenID Connect token and verifying that the application no longer makes unauthorized requests.