216.73.217.176

CVE-2025-53099

· Published 01/07/2025 15:15 · Modified 01/07/2025 15:15

Labels: CVE-2025-53099 2025-07-01CVE-2025-53099CWE-288[email protected]

Essential information

Published
01/07/2025 15:15
Modified
01/07/2025 15:15
Author
Creator
CVSS
5.5 MEDIUM (v3) 5.5 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sentry / sentry cpe:2.3:a:sentry:sentry:<25.5.0:*:*:*:*:*:*:*
sentry / sentry cpe:2.3:a:sentry:sentry:25.5.0:*:*:*:*:*:*:*

References