CVE-2025-57817: 
Python vulnerability analysis and mitigation

CVE-2025-57817 affects the Fides Webserver API prior to version 2.69.1. The vulnerability involves improper authorization of scope assignment in the OAuth client creation and update endpoints. This security issue was discovered and disclosed on September 8, 2025, affecting all versions of Fides up to (but not including) version 2.69.1 (NVD, GitHub Advisory).

The vulnerability stems from insufficient authorization checks in the OAuth client management endpoints. When creating or updating OAuth clients, the API only validates that requested scopes exist in the system registry but fails to verify that the requester already possesses the scopes they are assigning. The issue has been assigned a CVSS v4.0 base score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-862: Missing Authorization (GitHub Advisory).

This vulnerability allows highly privileged users with client:create or client:update permissions to escalate their privileges to owner-level access. Contributor-level users can gain unauthorized access to user management, system configuration, and permission assignment capabilities. The impact is considered high as it affects both confidentiality and integrity of the system (GitHub Advisory).

The vulnerability has been patched in Fides version 2.69.1. Users are strongly advised to upgrade to this version or later as there are no available workarounds. The fix includes implementing proper authorization checks for scope assignment during OAuth client creation and updates (GitHub Release, GitHub Advisory).