SecuriTricks - CVE-2025-25207

Description

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.

Product(s) Impacted

Vendor	Product	Versions
Red Hat	Authorino Connectivity Link	* *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	red_hat	authorino	/	/	/	/	/	/	/	/
a	red_hat	connectivity_link	/	/	/	/	/	/	/	/

References

https://access.redhat.com/security/cve/CVE-2025-25207

https://bugzilla.redhat.com/show_bug.cgi?id=2347421

CVSS Score

5.7 / 10

CVSS Data - 3.1

Attack Vector: ADJACENT_NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: June 9, 2025, 6:15 a.m.
Last Modified: June 9, 2025, 12:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

CVE-2025-25207