プラットフォーム
go
コンポーネント
goauthentik.io
修正版
2025.4.4
2025.6.1
0.0.0-20250722122105-7a4c6b9b50f8
CVE-2025-53942 describes a vulnerability in Authentik where the system lacks sufficient checks for an account's active status when authenticating through OAuth or SAML sources. This deficiency could allow an attacker to potentially gain unauthorized access. The vulnerability affects versions prior to v0.0.0-20250722122105-7a4c6b9b50f8. A patch has been released to address this issue.
The core impact of CVE-2025-53942 lies in the potential for unauthorized access to Authentik-managed resources. An attacker could exploit this flaw by crafting malicious OAuth or SAML requests that bypass the account active status verification. This could lead to the attacker impersonating a legitimate user and gaining access to sensitive data or performing actions on behalf of that user. The blast radius extends to any systems or applications relying on Authentik for authentication, as a compromised Authentik instance could serve as a gateway to other critical infrastructure. While no specific real-world exploitation has been publicly reported, the potential for abuse is significant, particularly in environments where OAuth/SAML integrations are prevalent.
CVE-2025-53942 was published on 2025-08-11. Its severity is currently assessed as HIGH (CVSS 7.5). There are no known public proof-of-concept exploits available at this time. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the potential for remote exploitation, it is prudent to prioritize remediation.
Organizations heavily reliant on Authentik for centralized authentication, particularly those using OAuth or SAML integrations with third-party applications, are at significant risk. Environments with legacy OAuth/SAML configurations or those lacking robust account activity monitoring are especially vulnerable.
• linux / server: Monitor Authentik logs for unusual authentication attempts or errors related to OAuth/SAML. Use journalctl -u authentik to filter for relevant events.
journalctl -u authentik | grep -i "oauth" | grep -i "saml" | grep -i "error"• generic web: Check Authentik's OAuth/SAML endpoints for unexpected behavior or unauthorized access attempts using curl -v <oauthendpoint> and curl -v <samlendpoint>. Examine access and error logs for suspicious patterns.
disclosure
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-53942 is to immediately upgrade Authentik to version v0.0.0-20250722122105-7a4c6b9b50f8 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting OAuth/SAML access to trusted sources or implementing stricter account activity monitoring. Review and audit all OAuth/SAML configurations to ensure they adhere to security best practices. After upgrading, confirm the fix by attempting to authenticate with a test user account via OAuth/SAML and verifying that the account active status is correctly enforced.
Actualice authentik a la versión 2025.6.4 o posterior. Como alternativa, aplique la solución provisional agregando una política de expresión al flujo de inicio de sesión del usuario con la expresión `return request.context["pending_user"].is_active`. Esto asegura que la etapa de inicio de sesión del usuario solo se active cuando el usuario esté activo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-53942 is a HIGH severity vulnerability in Authentik affecting versions before v0.0.0-20250722122105-7a4c6b9b50f8. It allows unauthorized access due to insufficient checks for account active status during OAuth/SAML authentication.
If you are using Authentik versions prior to v0.0.0-20250722122105-7a4c6b9b50f8 and utilize OAuth or SAML authentication, you are potentially affected by this vulnerability.
Upgrade Authentik to version v0.0.0-20250722122105-7a4c6b9b50f8 or later to mitigate this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2025-53942, but the potential for abuse exists.
Refer to the Authentik security advisory for detailed information and updates regarding CVE-2025-53942: [https://goauthentik.io/docs/security/advisories/](https://goauthentik.io/docs/security/advisories/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。