Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-rpw8-82v9-3q87

MEDIUM

Fides' Admin UI User Password Change Does Not Invalidate Current Session

Also known asCVE-2025-57766
Published
Sep 8, 2025
Updated
Sep 13, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.3%probability of exploitation in next 30 days
Lower Risk19th percentile+0.20%
0.00%0.26%0.52%0.78%0.1%0.3%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐍ethyca-fides

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.

Details

Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state.

The frontend application stores authentication state in browser local storage, which persists across browser sessions until explicit logout or natural token expiration.

This behavior alone does not constitute a directly exploitable vulnerability. The security issue only becomes exploitable when chained with other vulnerabilities or conditions that allow attackers to obtain valid session tokens, such as:

  • Cross-Site Scripting (XSS) attacks that can access browser storage where tokens are stored
  • Session hijacking through network interception
  • Malware on the user's device that can read browser storage
  • Physical device access where attackers can access browser storage directly

Impact

This vulnerability serves as a persistence mechanism in attack chains rather than a primary attack vector. When chained with token theft vulnerabilities, it allows attackers to:

  • Maintain access beyond the remediation window when users change passwords in response to suspected compromise
  • Extend the impact timeframe of client-side attacks from minutes/hours to potentially an extended period
  • Defeat common incident response procedures that rely on password changes to secure compromised accounts

Stored tokens persist across browser sessions until explicit logout or natural expiration.

Patches

The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Severity

This vulnerability has been assigned a severity of LOW because:

  • No direct exploitability - requires chaining with other vulnerabilities
  • High attack complexity - multiple successful exploits needed
  • Limited standalone impact - only extends existing compromises
  • Aligns with industry standard classifications of LOW severity for session invalidation failures

This is fundamentally a defense-in-depth issue rather than a primary security vulnerability.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIethyca-fidesall versions2.69.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ethyca-fides. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update ethyca-fides to 2.69.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rpw8-82v9-3q87 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-rpw8-82v9-3q87 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-rpw8-82v9-3q87. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. ### Details Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password
O3 Security · Impact-Aware SCA

Is GHSA-rpw8-82v9-3q87 in your dependencies?

O3 detects GHSA-rpw8-82v9-3q87 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works