CVE-2025-57766: 
Python vulnerability analysis and mitigation

Fides, an open-source privacy engineering platform, was found to contain a session invalidation vulnerability (CVE-2025-57766) prior to version 2.69.1. The vulnerability relates to admin UI user password changes not invalidating active user sessions, which could allow attackers who have obtained session tokens through other attack vectors to maintain access even after password reset (GitHub Advisory). The vulnerability was discovered and disclosed in September 2025.

The vulnerability stems from Fides' implementation of encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, rather than against the current password state. The vulnerability has been assigned CWE-613 (Insufficient Session Expiration) and received a CVSS v4.0 score of 1.7 (LOW) with vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U (GitHub Advisory, NVD).

The vulnerability serves as a persistence mechanism in attack chains rather than a primary attack vector. When combined with token theft vulnerabilities, it allows attackers to maintain access beyond the remediation window when users change passwords in response to suspected compromise, extend the impact timeframe of client-side attacks, and defeat common incident response procedures that rely on password changes to secure compromised accounts (GitHub Advisory).

The vulnerability has been patched in Fides version 2.69.1, which implements proper session invalidation logic to end all sessions for a user when their password has been changed. No workarounds are available for unpatched versions, making upgrading to version 2.69.1 or later the only solution (GitHub Release, GitHub Advisory).