CVE-2025-57817: 
Python vulnerability analysis and mitigation

CVE-2025-57817 affects Fides, an open-source privacy engineering platform, prior to version 2.69.1. The vulnerability exists in the OAuth client creation and update endpoints of the Fides Webserver API where scope assignment is not properly authorized. The issue was discovered and disclosed on September 8, 2025, and affects all versions before 2.69.1 (GitHub Advisory).

The vulnerability stems from insufficient authorization checks in the OAuth client management endpoints. When creating or updating OAuth clients, the API only validates that requested scopes exist in the system registry but fails to verify that the requester already possesses the scopes they are assigning. The vulnerability has been assigned a CVSS v4.0 base score of 8.6 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N. The issue is classified as CWE-862: Missing Authorization (GitHub Advisory).

This vulnerability allows highly privileged users with 'client:create' or 'client:update' permissions to escalate their privileges to owner-level access. Contributor-level users can gain unauthorized access to user management, system configuration, and permission assignment capabilities. While contributor users are already highly privileged, the vulnerability enables access to restricted scopes that can be exploited for high-impact actions (GitHub Advisory).

The vulnerability has been patched in Fides version 2.69.1. Users are strongly advised to upgrade to this version or later as there are no available workarounds. The fix implements proper authorization checks to verify that clients can only assign scopes they already possess (GitHub Release, GitHub Advisory).