CVE-2025-22146
📋 TL;DR
A critical SAML SSO vulnerability in Sentry allows attackers to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The attacker needs to know the victim's email address. This affects all Sentry instances with multiple organizations unless they have SENTRY_SINGLE_ORGANIZATION = True.
💻 Affected Systems
- Sentry
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, potentially leading to data theft, privilege escalation, and unauthorized access to sensitive error tracking and performance monitoring data.
Likely Case
Targeted account compromise of specific users whose email addresses are known to attackers, leading to unauthorized access to organizational data.
If Mitigated
No impact if SENTRY_SINGLE_ORGANIZATION = True is set or if upgraded to patched version.
🎯 Exploit Status
Requires attacker to control a malicious SAML Identity Provider and have knowledge of victim email addresses. The vulnerability was discovered through a private bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.1.0
Vendor Advisory: https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w
Restart Required: Yes
Instructions:
1. Backup your Sentry instance. 2. Upgrade to Sentry version 25.1.0 or higher. 3. Restart the Sentry services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Enable Single Organization Mode
allSet SENTRY_SINGLE_ORGANIZATION = True to prevent exploitation by restricting to single organization instances.
export SENTRY_SINGLE_ORGANIZATION=True
🧯 If You Can't Patch
- Enable SENTRY_SINGLE_ORGANIZATION = True configuration
- Monitor authentication logs for suspicious SAML login attempts
🔍 How to Verify
Check if Vulnerable:
Check Sentry version and verify if SENTRY_SINGLE_ORGANIZATION is set to False with multiple organizations.Check Version:
sentry --versionVerify Fix Applied:
Verify Sentry version is 25.1.0 or higher and test SAML SSO functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SAML authentication attempts
- Login events from unexpected Identity Providers
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- SAML requests from unknown or suspicious Identity Providers
- Unusual patterns in SAML assertion traffic
SIEM Query:
source="sentry" AND (event="saml_auth" OR event="user_login") AND result="success" | stats count by user, identity_provider