CVE-2025-52477: 
Wolfi vulnerability analysis and mitigation

Octo-STS, a GitHub App that acts as a Security Token Service (STS) for the GitHub API, was found to contain a critical security vulnerability (CVE-2025-52477) in versions before v0.5.3. The vulnerability was discovered and disclosed on June 26, 2025, affecting the OpenID Connect (OIDC) token handling functionality. The issue was identified as an unauthenticated Server-Side Request Forgery (SSRF) vulnerability that could be exploited by manipulating fields in OpenID Connect tokens (GitHub Advisory, Wiz).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 8.6 (High). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating that the vulnerability can be exploited remotely without requiring privileges or user interaction. The issue specifically involves the improper validation of OIDC token fields, which could be abused to trigger internal network requests (GitHub Advisory, Wiz).

When exploited, the vulnerability could allow attackers to trigger internal network requests and potentially expose sensitive information through error log reflection. The high CVSS score particularly reflects the critical impact on data confidentiality, though integrity and availability remain unaffected (GitHub Advisory, Wiz).

The vulnerability has been patched in version v0.5.3 of Octo-STS. The fix includes comprehensive input validation for critical OIDC token fields (iss, sub, aud) according to RFC 8414 and OpenID Connect Core 1.0 specifications. The patch also implements improved logging practices to redact sensitive information and sanitize input. Users are strongly advised to upgrade to version v0.5.3 or later (GitHub Commit, GitHub Commit).