CVE-2025-67844 is a vulnerability classified under CWE-425 (Direct Request or Forced Browsing) affecting the Mintlify Platform's GitHub Integration API prior to version 2025-11-15. The issue stems from insufficient validation of the repository owner and name fields during API configuration, where the platform fails to confirm that these fields belong to the GitHub App Installation ID associated with the user's organization. This flaw allows a remote attacker with authenticated access (PR:L) to craft API requests specifying arbitrary repository owner and name values, thereby retrieving sensitive metadata about repositories outside their authorized scope. The vulnerability does not require user interaction (UI:N) and can be exploited over the network (AV:N) with low attack complexity (AC:L). The impact is limited to confidentiality (C:L) as the attacker can obtain repository metadata but cannot alter data or disrupt service (I:N, A:N). The vulnerability has a CVSS 3.1 base score of 5.0, indicating medium severity. No patches or known exploits are currently documented, but the flaw presents a risk of information disclosure that could facilitate further attacks or reconnaissance. The core technical issue is the lack of ownership verification linking repository identifiers to the GitHub App Installation ID, which is a critical security control in multi-tenant or organization-scoped integrations.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive repository metadata, including potentially confidential project details, configuration data, or internal development information. Such exposure can aid attackers in mapping organizational assets, identifying vulnerable codebases, or planning targeted attacks such as social engineering or supply chain compromises. While the vulnerability does not allow modification or denial of service, the confidentiality breach can undermine trust and compliance, especially under GDPR regulations concerning data protection and privacy. Organizations heavily reliant on Mintlify Platform integrated with GitHub for documentation or development workflows are at higher risk. The impact is particularly significant for sectors with stringent data confidentiality requirements, such as finance, healthcare, and critical infrastructure. Although exploitation requires authenticated access, insider threats or compromised credentials could be leveraged to exploit this flaw. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-67844, organizations should ensure that Mintlify Platform is updated to versions released after 2025-11-15 that include proper validation of repository owner and name fields against the GitHub App Installation ID. Until patches are available, restrict access to the GitHub Integration API to trusted users and service accounts with minimal privileges. Implement monitoring and alerting for unusual API requests that specify repository identifiers outside the expected scope. Enforce strong authentication and credential management policies to reduce the risk of compromised accounts. Conduct regular audits of API usage logs to detect potential forced browsing attempts. Additionally, organizations should consider isolating sensitive repositories or metadata from integration tools where possible and apply the principle of least privilege in GitHub App installations. Collaboration with Mintlify support for timely updates and security advisories is recommended. Finally, incorporate this vulnerability into incident response plans to quickly address any detected exploitation attempts.