{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25207", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-02-03T20:02:01.750Z", "datePublished": "2025-06-09T06:12:51.416Z", "dateUpdated": "2025-06-09T18:11:15.868Z"}, "containers": {"cna": {"title": "Rhcl: authpolicy callbacks result in denial of service in authorino severity", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks."}], "affected": [{"versions": [{"status": "affected", "version": "1.0.1", "versionType": "semver"}], "packageName": "rhcl-operator-container", "collectionURL": "https://www.redhat.com/pt-br/technologies/cloud-computing/connectivity-link", "defaultStatus": "unknown"}, {"vendor": "Red Hat", "product": "Red Hat Connectivity Link 1", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcl-operator-container", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:connectivity_link:1"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-25207", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347421", "name": "RHBZ#2347421", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-02-24T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-703->CWE-400: Improper Check or Handling of Exceptional Conditions leads to Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2025-02-24T22:53:00.778000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-24T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-06-09T06:12:51.416Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-09T18:09:27.183095Z", "id": "CVE-2025-25207", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T18:11:15.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-09T18:09:27.183095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T18:09:37.757Z"}}], "cna": {"title": "Rhcl: authpolicy callbacks result in denial of service in authorino severity", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "1.0.1", "versionType": "semver"}], "packageName": "rhcl-operator-container", "collectionURL": "https://www.redhat.com/pt-br/technologies/cloud-computing/connectivity-link", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:connectivity_link:1"], "vendor": "Red Hat", "product": "Red Hat Connectivity Link 1", "packageName": "rhcl-operator-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-02-24T22:53:00.778000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-24T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-02-24T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-25207", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347421", "name": "RHBZ#2347421", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-06-09T06:12:51.416Z"}, "x_redhatCweChain": "CWE-703->CWE-400: Improper Check or Handling of Exceptional Conditions leads to Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2025-25207", "state": "PUBLISHED", "dateUpdated": "2025-06-09T18:11:15.868Z", "dateReserved": "2025-02-03T20:02:01.750Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-06-09T06:12:51.416Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks."}], "id": "CVE-2025-25207", "lastModified": "2025-06-09T12:15:47.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2025-06-09T06:15:24.413", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-25207"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347421"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "RHCL: AuthPolicy Callbacks Result in Denial of Service in Authorino Severity", "id": "2347421", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347421"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-703->CWE-400", "details": ["The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.", "The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks."], "name": "CVE-2025-25207", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "rhcl-operator-container", "product_name": "Red Hat Connectivity Link 1"}], "public_date": "2025-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25207\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25207"], "statement": "Red Hat Product Security has rated this vulnerability as having a impact of Moderated as there's some privilege needed to perform this attack.", "threat_severity": "Moderate"}