CVE-2025-67844 is a vulnerability classified under CWE-425 (Direct Request or Forced Browsing) affecting the Mintlify Platform's GitHub Integration API versions prior to 2025-11-15. The vulnerability allows remote attackers who have some level of authenticated access (PR:L) to bypass authorization controls by manipulating the repository owner and name fields during API configuration. The API fails to verify that these fields belong to the GitHub App Installation ID associated with the user's organization, enabling attackers to request metadata for repositories outside their authorized scope. This metadata may include sensitive information about repositories that the attacker should not access, leading to a confidentiality breach. The vulnerability does not impact integrity or availability, and no user interaction is required for exploitation. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and low confidentiality impact. No known exploits have been reported, and no patches have been released yet. The vulnerability highlights a common security design flaw where authorization checks are insufficient or improperly implemented in API endpoints dealing with third-party integrations.

For European organizations, the primary impact of CVE-2025-67844 is unauthorized disclosure of sensitive repository metadata, which could include project details, configuration data, or other intellectual property. This exposure could facilitate further attacks such as social engineering, reconnaissance for supply chain attacks, or leakage of proprietary information. Organizations relying on Mintlify Platform integrated with GitHub for documentation or development workflows may inadvertently expose internal or private repository information to unauthorized users within their organization or potentially to external attackers with compromised credentials. While the vulnerability does not allow modification or deletion of data, the confidentiality breach could undermine trust, violate data protection regulations such as GDPR if personal or sensitive data is exposed, and cause reputational damage. The requirement for some privileges to exploit limits the risk to insiders or attackers who have gained limited access, but the network attack vector means exploitation can occur remotely. The absence of patches increases the urgency for mitigation.

To mitigate CVE-2025-67844, organizations should implement strict validation of repository owner and name fields against the GitHub App Installation ID within the Mintlify Platform's API configuration. This validation must ensure that only repositories legitimately associated with the user's organization and installation ID can be accessed. Until an official patch is released, organizations should restrict API access to trusted users and monitor API logs for unusual or unauthorized repository access attempts. Employing least privilege principles for GitHub App installations and limiting the scope of repository access can reduce exposure. Additionally, organizations should conduct internal audits of repository metadata access and review integration configurations for potential misconfigurations. If possible, temporarily disable or limit the use of the Mintlify GitHub Integration API in sensitive environments. Finally, maintain awareness of vendor updates and apply patches promptly once available.