Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.

Basic Information

ID CVE-2025-57817

Source GitHub_M

Published Sep 8, 2025 at 21:17

Modified Sep 8, 2025 at 21:19

Affected Product

Vendor ethyca

Product fides

Version < 2.69.1

Affected Versions ethyca fides < 2.69.1

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.",
    "published": "2025-09-08T21:17:09.105Z",
    "modified": "2025-09-08T21:19:39.349Z",
    "type": "cve",
    "title": "Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation",
    "source": "GitHub_M",
    "references": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr\nhttps://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452\nhttps://github.com/ethyca/fides/releases/tag/2.69.1",
    "id": "CVE-2025-57817",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "ethyca fides < 2.69.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "fides",
    "version": "< 2.69.1",
    "vendor": "ethyca",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation_CVE-2025-57817