CVE-2025-57766

CVE-2025-57766 is a low-severity security vulnerability in ethyca-fides (pip), affecting versions < 2.69.1. It is fixed in 2.69.1.

Summary

Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.

Details

Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state.

The frontend application stores authentication state in browser local storage, which persists across browser sessions until explicit logout or natural token expiration.

This behavior alone does not constitute a directly exploitable vulnerability. The security issue only becomes exploitable when chained with other vulnerabilities or conditions that allow attackers to obtain valid session tokens, such as:

  • Cross-Site Scripting (XSS) attacks that can access browser storage where tokens are stored
  • Session hijacking through network interception
  • Malware on the user's device that can read browser storage
  • Physical device access where attackers can access browser storage directly

Workarounds

There are no workarounds.

Severity

This vulnerability has been assigned a severity of LOW because:

  • No direct exploitability - requires chaining with other vulnerabilities
  • High attack complexity - multiple successful exploits needed
  • Limited standalone impact - only extends existing compromises
  • Aligns with industry standard classifications of LOW severity for session invalidation failures

This is fundamentally a defense-in-depth issue rather than a primary security vulnerability.

Impact

This vulnerability serves as a persistence mechanism in attack chains rather than a primary attack vector. When chained with token theft vulnerabilities, it allows attackers to:

  • Maintain access beyond the remediation window when users change passwords in response to suspected compromise
  • Extend the impact timeframe of client-side attacks from minutes/hours to potentially an extended period
  • Defeat common incident response procedures that rely on password changes to secure compromised accounts

Stored tokens persist across browser sessions until explicit logout or natural expiration.

CVE-2025-57766 has a CVSS score of 4.8 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.69.1); upgrading removes the vulnerable code path.

Affected versions

ethyca-fides (< 2.69.1)

Security releases

ethyca-fides → 2.69.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Frequently Asked Questions

  1. What is CVE-2025-57766? CVE-2025-57766 is a low-severity security vulnerability in ethyca-fides (pip), affecting versions < 2.69.1. It is fixed in 2.69.1.
  2. How severe is CVE-2025-57766? CVE-2025-57766 has a CVSS score of 4.8 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of ethyca-fides are affected by CVE-2025-57766? ethyca-fides (pip) versions < 2.69.1 is affected.
  4. Is there a fix for CVE-2025-57766? Yes. CVE-2025-57766 is fixed in 2.69.1. Upgrade to this version or later.
  5. Is CVE-2025-57766 exploitable, and should I be worried? Whether CVE-2025-57766 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-57766 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-57766? Upgrade ethyca-fides to 2.69.1 or later.

Other vulnerabilities in ethyca-fides

CVE-2026-44541CVE-2026-42303CVE-2025-57817CVE-2025-57815CVE-2025-57766

Stop the waste.
Protect your environment with Kodem.