CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-25207: Rhcl: authpolicy callbacks result in denial of service in authorino severity

5.7 CVSS

Description

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.

Classification

CVE ID: CVE-2025-25207

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.7

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types

Uncontrolled Resource Consumption

Affected Products

Vendor: , Red Hat

Product: , Red Hat Connectivity Link 1

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.94% (scored less or equal to compared to others)

EPSS Date: 2025-06-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-25207
https://access.redhat.com/security/cve/CVE-2025-25207
https://bugzilla.redhat.com/show_bug.cgi?id=2347421

Timeline

2025-06-09 07:40:13 UTC
CVE

Rhcl: authpolicy callbacks result in denial of service in authorino severity
2025-06-09 13:15:21 UTC
Github Advisory Database (Go)

[github.com/kuadrant/authorino] Authorino Uncontrolled Resource Consumption vulnerability