CVE-2025-58445 is a medium-severity vulnerability affecting Atlantis, a self-hosted Golang application designed to automate Terraform pull request workflows via webhooks. The vulnerability arises because all versions of Atlantis up to and including 0.35.1 expose detailed version information through the publicly accessible /status endpoint. This exposure constitutes an information disclosure vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). By revealing the exact version of Atlantis in use, attackers can identify whether the instance is running a version with known vulnerabilities or weaknesses. Although this vulnerability does not directly allow unauthorized access or code execution, it provides valuable reconnaissance data that can be leveraged in targeted attacks. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited impact confined to confidentiality (information disclosure). There is currently no fix or patch available for this issue, increasing the risk for organizations using affected versions. The vulnerability does not impact integrity or availability directly but weakens the security posture by facilitating further exploitation through version fingerprinting.

For European organizations, the exposure of Atlantis version information can increase the risk of targeted attacks against their infrastructure-as-code automation pipelines. Terraform is widely used in cloud infrastructure management, and Atlantis automates Terraform pull request workflows, making it a critical component in DevOps and infrastructure security. Attackers armed with version details can tailor exploits or phishing campaigns to compromise infrastructure provisioning, potentially leading to unauthorized changes, data leakage, or service disruptions. While the vulnerability itself does not allow direct compromise, it lowers the barrier for attackers to identify vulnerable instances and plan subsequent attacks. This is particularly impactful for organizations with sensitive cloud environments or those under regulatory scrutiny for infrastructure security. The lack of a patch means organizations must rely on compensating controls to mitigate risk. Additionally, exposure of version information could aid threat actors in reconnaissance during cyber-espionage or ransomware campaigns targeting European enterprises.

Since no official patch is currently available, European organizations should implement the following specific mitigations: 1) Restrict access to the /status endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to limit exposure to internal or trusted users. 2) Use web application firewalls (WAFs) or reverse proxies to filter or block requests to the /status endpoint or to sanitize the response to avoid disclosing version information. 3) Monitor logs and network traffic for unusual access patterns to the /status endpoint to detect reconnaissance attempts. 4) Consider upgrading Atlantis to versions beyond 0.35.1 once a fix is released or engage with the vendor/community to prioritize a patch. 5) Employ infrastructure-as-code security best practices, including strict access controls on Terraform repositories and CI/CD pipelines, to reduce the impact of any potential compromise. 6) Conduct regular security assessments and penetration testing focusing on infrastructure automation components to identify and remediate weaknesses proactively.