CVE-2025-57766: Fides' Admin UI User Password Change Does Not Invalidate Current Session

September 8, 2025 (updated September 10, 2025)

Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.

References

github.com/advisories/GHSA-rpw8-82v9-3q87
github.com/ethyca/fides
github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b
github.com/ethyca/fides/releases/tag/2.69.1
github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87
nvd.nist.gov/vuln/detail/CVE-2025-57766

Code Behaviors & Features

Detect and mitigate CVE-2025-57766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →