CVE-2025-59036: Infrahub: Deleted and expired API tokens can still authenticate
A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.
References
- github.com/advisories/GHSA-v2p7-4pv4-3wwh
- github.com/opsmill/infrahub
- github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1
- github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228
- github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9
- github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5
- github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh
- nvd.nist.gov/vuln/detail/CVE-2025-59036
Code Behaviors & Features
Detect and mitigate CVE-2025-59036 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →