CVE-2025-25207 — Vulnetix

CVE-2025-25207 PUBLISHED CVSS 5.699999809265137 MEDIUM

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.

EPSS 0.03% · 9.0th percentile

Risk Scores

CVSS 3.1

5.699999809265137

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.03%

9.0th percentile

Affected Products

Vendor	Product	Versions
github.com	kuadrant/authorino	0, 0
Red Hat	Red Hat Connectivity Link 1
		1.0.1, 1.0.1

Exploit Intelligence

CIRCL seen: CVE-2025-25207 (circl-sighting)
https://access.redhat.com/security/cve/CVE-2025-25207 (circl)
RHBZ#2347421 (circl)

Timeline

Jun 9, 2025 CVE Published
Jun 9, 2025 EPSS Score
Jun 9, 2025 Coalition ESS Score
Jun 9, 2025 PoC Published
Jun 20, 2025 EPSS Score
Jun 30, 2025 EPSS Score
Jul 11, 2025 EPSS Score
Jul 21, 2025 EPSS Score
Aug 1, 2025 EPSS Score
Aug 11, 2025 EPSS Score
Aug 22, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score

References

https://access.redhat.com/security/cve/CVE-2025-25207 vdb
RHBZ#2347421 issue
https://nvd.nist.gov/vuln/detail/CVE-2025-25207 advisory
https://github.com/Kuadrant/authorino package

Open in Interactive Console →