CVE-2025-58445 is a medium-severity vulnerability affecting Atlantis, a self-hosted Golang application designed to automate Terraform pull request workflows via webhooks. The vulnerability arises because all versions of Atlantis up to and including 0.35.1 publicly expose detailed version information through the /status endpoint without any authentication or access control. This exposure constitutes a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) weakness. By accessing the /status endpoint, an attacker can determine the exact Atlantis version in use. This information disclosure is critical because it enables attackers to identify whether the target system is running a version with known vulnerabilities, thereby facilitating targeted exploitation attempts. Although the vulnerability itself does not directly allow code execution or data manipulation, it significantly lowers the attacker's effort to perform reconnaissance and craft attacks against known weaknesses in the disclosed version. Notably, there is currently no fix or patch available for this issue, increasing the risk for organizations relying on Atlantis versions <= 0.35.1. The CVSS 4.0 base score is 6.9 (medium), reflecting that the vulnerability is remotely exploitable over the network without authentication or user interaction, but the impact is limited to information disclosure with low confidentiality impact and no integrity or availability impact. No known exploits are reported in the wild as of now.

For European organizations utilizing Atlantis for Terraform automation, this vulnerability can have several implications. Terraform is widely used for infrastructure as code (IaC) deployments, and Atlantis automates Terraform pull request workflows, making it a critical component in DevOps pipelines. Exposure of version information could allow attackers to identify vulnerable Atlantis instances and attempt further attacks, such as exploiting other known vulnerabilities or chaining attacks to compromise infrastructure provisioning processes. This could lead to unauthorized changes in infrastructure, data breaches, or service disruptions. While the vulnerability itself does not directly compromise systems, it increases the attack surface and aids adversaries in reconnaissance. Organizations in Europe with automated cloud infrastructure deployments are at risk of targeted attacks, especially those with less mature security monitoring or those who have not restricted access to Atlantis endpoints. The lack of a patch means organizations must rely on compensating controls to mitigate risk. The impact is particularly relevant for sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government, where infrastructure integrity and confidentiality are paramount.

Given the absence of an official fix, European organizations should implement specific mitigations to reduce exposure. First, restrict access to the Atlantis /status endpoint by network segmentation and firewall rules, allowing only trusted internal IPs or VPN users to access the service. Second, implement authentication and authorization layers in front of Atlantis endpoints using reverse proxies or API gateways to prevent unauthorized access. Third, monitor and log all access to Atlantis endpoints to detect unusual or unauthorized queries, enabling rapid incident response. Fourth, consider upgrading Atlantis to versions beyond 0.35.1 once a patch is released or evaluate alternative tools with better security postures. Fifth, conduct regular security assessments of the DevOps pipeline to identify and remediate information disclosure risks. Finally, educate DevOps teams about the risks of exposing version information and enforce secure configuration management practices to minimize unnecessary information leakage.