CVE-2025-58445: 
Atlantis vulnerability analysis and mitigation

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. The vulnerability (CVE-2025-58445) affects all versions of Atlantis, where detailed version information is publicly exposed through its /status endpoint. The issue was discovered and disclosed on September 6, 2025 (GitHub Advisory).

The vulnerability stems from the /status endpoint returning not only health check information but also detailed version and build information without requiring authentication. The issue has been assigned a CVSS v4.0 base score of 6.9 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N and CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

This information disclosure vulnerability could allow attackers to identify and target known vulnerabilities associated with specific versions, potentially compromising the service's security posture. Attackers could use the version details to scan public vulnerability repositories and tailor attacks based on known flaws in that particular version (GitHub Advisory).

Currently, this issue does not have a fix. Best practices from OWASP Top 10 and NIST SP 800-53 recommend restricting such potentially exploitable information to safeguarded internal channels to mitigate the risk of targeted attacks (GitHub Advisory).