CVE-2025-57815: 
Python vulnerability analysis and mitigation

CVE-2025-57815 affects Fides, an open-source privacy engineering platform, prior to version 2.69.1. The vulnerability was discovered and disclosed on September 8, 2025, and involves insufficient protection against brute-force attacks on the Fides Admin UI login endpoint. The system relied only on a general IP-based rate limit for all API traffic without specific anti-automation controls for authentication attempts (GitHub Advisory).

The vulnerability stems from the Fides Admin UI login endpoint's reliance on a single, system-wide rate limit that must be set high enough to accommodate high-volume legitimate traffic, resulting in inadequate protection for authentication attempts. The vulnerability has been assigned a CVSS v4.0 score of 1.7 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. It is classified as CWE-307: Improper Restriction of Excessive Authentication Attempts (NVD).

While traditional brute-force attacks against single accounts are made difficult by password complexity requirements and global rate limits, the vulnerability exposes the system to more targeted attacks. Attackers could potentially conduct credential testing attacks, such as credential stuffing or password spraying, particularly against accounts with weak or previously compromised passwords. Successful exploitation would grant full access to the compromised user's privileges within the Fides Admin UI (GitHub Advisory).

The vulnerability has been patched in Fides version 2.69.1. For organizations with commercial Fides Enterprise licenses, a workaround is available through configuring Single Sign-On (SSO) via an OIDC provider (such as Azure, Google, or Okta). When OIDC SSO is enabled, username/password authentication can be disabled entirely, eliminating the attack vector. However, this workaround is not available for Fides Open Source users (GitHub Release, GitHub Advisory).