10 matches found
EUVD-2025-27268
Malicious code in bioql PyPI...
CVE-2025-57766
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS ca...
CVE-2025-57815
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to...
CVE-2025-57817 Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with client:create or client:update permissions to escalate thei...
CVE-2025-57817 Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with client:create or client:update permissions to escalate thei...
CVE-2025-57817 Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with client:create or client:update permissions to escalate thei...
Missing Authorization
Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Missing Authorization via the OAuth client creation and update process. An attacker can gain unauthorized access to owner-level privileges by assigning arbitrary scopes ...
GHSA-FQ34-XW6C-FPHF Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a...
GHSA-8R88-6CJ9-9FH5 auth-js Vulnerable to Insecure Path Routing from Malformed User Input
Impact The library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best...
CVE-2025-48370 auth-js Vulnerable to Insecure Path Routing from Malformed User Input
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the...