CVE-2025-64708: 
Chainguard vulnerability analysis and mitigation

CVE-2025-64708 affects authentik, an open-source Identity Provider, discovered and reported by @melizeche. The vulnerability was disclosed on November 19, 2025, affecting versions prior to 2025.8.5 and 2025.10.2. The issue involves invitation tokens being considered valid even after expiration, with cleanup tasks delayed by at least 5 minutes (GitHub Advisory).

The vulnerability exists in the get_invite method within the InvitationStage class where the application logic did not properly check for invitation expiry at the time of use. Instead, it relied on a periodic background task to clean up expired invitations every 5 minutes. The vulnerability has a CVSS v3.1 base score of 5.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows expired invitations to remain valid for at least 5 minutes after their expiration time, and potentially longer if there is a large backlog of tasks. This creates a window where expired invitations could still be used to access the system, potentially compromising access control mechanisms (GitHub Advisory).

The issue has been patched in authentik versions 2025.8.5 and 2025.10.2. For users unable to update, a workaround is available by creating a policy that explicitly checks invitation validity using the expression 'return not context['flowplan'].context['invitation'].isexpired' and binding it to the invitation stage on the invitation flow (GitHub Advisory).