CVE-2025-64708: authentik's invitation expiry is delayed by at least 5 minutes

November 19, 2025

In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer.

References

github.com/advisories/GHSA-ch7q-53v8-73pc
github.com/goauthentik/authentik
github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830
github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc
nvd.nist.gov/vuln/detail/CVE-2025-64708

Code Behaviors & Features

Detect and mitigate CVE-2025-64708 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →