CVE-2025-52477 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting the octo-sts GitHub App, versions prior to 0.5.3. Octo-STS functions as a Security Token Service (STS) for the GitHub API, facilitating token-based authentication and authorization. The vulnerability arises from improper input sanitization of fields within OpenID Connect tokens, which can be manipulated by unauthenticated attackers. By crafting malicious tokens, attackers can induce the application to make unauthorized internal network requests. These requests may trigger error logs that inadvertently expose sensitive internal information, such as internal IP addresses, service endpoints, or other confidential data. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The vendor addressed this issue in version 0.5.3 by implementing input sanitization and redacting sensitive information from logs, thereby preventing exploitation and information leakage. The CVSS v3.1 base score is 8.6, reflecting a high severity due to the vulnerability's network attack vector, lack of required privileges or user interaction, and the potential for significant confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, but the vulnerability's nature and ease of exploitation warrant prompt remediation.

For European organizations using octo-sts as part of their GitHub API integration or security infrastructure, this vulnerability poses a significant risk to confidentiality. Exploitation could allow attackers to probe internal networks, potentially revealing sensitive infrastructure details or internal services that could be leveraged for further attacks. This is particularly critical for organizations with complex internal networks or those handling sensitive intellectual property or personal data under GDPR regulations. While the vulnerability does not directly compromise data integrity or availability, the exposure of internal network details can facilitate lateral movement or targeted attacks, increasing overall organizational risk. Additionally, the unauthenticated nature of the exploit means that external attackers can attempt exploitation without prior access, raising the threat level for organizations with publicly accessible octo-sts deployments.

European organizations should immediately upgrade octo-sts to version 0.5.3 or later to apply the official patch that sanitizes input and redacts sensitive logging information. Beyond patching, organizations should implement strict network segmentation and firewall rules to limit the octo-sts app's ability to make arbitrary internal network requests. Monitoring and alerting on unusual outbound requests from the octo-sts service can help detect exploitation attempts. Additionally, review and harden logging configurations to ensure sensitive information is not recorded or is properly redacted. Employing Web Application Firewalls (WAFs) with SSRF detection capabilities can provide an additional layer of defense. Finally, conduct regular security assessments and penetration tests focusing on SSRF vectors within internal applications to proactively identify similar weaknesses.