CVE-2025-57815

LOW EPSS 19.5%
Published Sep 8, 20259mo ago · Modified Jun 17, 20261w ago
1.7 CVSS 4.0
Low
Find Similar
Published Sep 8, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.

CVSS Details

Base Score
1.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
19.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-307

Affected Products 1

VendorProductVersionRange
ethycafides* <2.69.1

References 3

  • github.com https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c
    Patch
  • github.com https://github.com/ethyca/fides/releases/tag/2.69.1
    Release Notes
  • github.com https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw
    Vendor Advisory

Remediation

  • github.com https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c
    Patch