GHSA-v2p7-4pv4-3wwh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v2p7-4pv4-3wwh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-v2p7-4pv4-3wwh/GHSA-v2p7-4pv4-3wwh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-v2p7-4pv4-3wwh
- Aliases
-
- CVE-2025-59036
- Published
- 2025-09-10T20:47:07Z
- Modified
- 2025-09-10T21:14:55.669141Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Infrahub: Deleted and expired API tokens can still authenticate
- Details
-
Impact
A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.
Patches
This issue is fixed in versions
1.3.9and1.4.5Workarounds
Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
- Database specific
{ "severity": "MODERATE", "nvd_published_at": "2025-09-09T22:15:34Z", "github_reviewed_at": "2025-09-10T20:47:07Z", "cwe_ids": [ "CWE-298" ], "github_reviewed": true }- References
-
- https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh
- https://nvd.nist.gov/vuln/detail/CVE-2025-59036
- https://github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1
- https://github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228
- https://github.com/opsmill/infrahub
- https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9
- https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5
Affected packages
PyPI / infrahub-server
Package
- Name
- infrahub-server
- View open source insights on deps.dev
- Purl
- pkg:pypi/infrahub-server
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.9
Affected versions
1.*
1.0.1
1.0.8
1.0.9
1.0.10
1.1.0b2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.2.0b1
1.2.0rc0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9rc0
1.2.9
1.2.10
1.2.11
1.2.12
1.3.0a0
1.3.0b1
1.3.0b2
1.3.0b3
1.3.0b5
1.3.0b6
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
PyPI / infrahub-server
Package
- Name
- infrahub-server
- View open source insights on deps.dev
- Purl
- pkg:pypi/infrahub-server