CVE-2025-52477 – github.com/octo-sts/app

Package

Manager: go
Name: github.com/octo-sts/app
Vulnerable Version: >=0 <0.5.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00045 pctl0.12994

Details

Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens ## Summary Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Please upgrade to v0.5.3 to resolve this issue. This version includes patch sets to [sanitize input](https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92) and [redact logging](https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd). Many thanks to @vicevirus for reporting this issue and for assisting with remediation review. ## References - https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq - https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92 - https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd

Metadata

Created: 2025-06-26T18:53:54Z
Modified: 2025-06-26T18:53:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3qp-hwvr-9xcq/GHSA-h3qp-hwvr-9xcq.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-h3qp-hwvr-9xcq
Finding: F100
Auto approve: 1