CVE-2025-53099
📋 TL;DR
This CVE describes an OAuth authorization flaw in Sentry where attackers with malicious OAuth applications can exploit a race condition to maintain persistent access to user accounts. By generating multiple authorization codes through specially timed requests, attackers can obtain access and refresh tokens even after application de-authorization. Self-hosted Sentry installations prior to version 25.5.0 are affected, while Sentry SaaS users are protected.
💻 Affected Systems
- Sentry
📦 What is this software?
Sentry by Sentry
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent unauthorized access to user accounts, potentially accessing sensitive error data, performance metrics, and organizational information within Sentry instances.
Likely Case
Attackers with malicious OAuth apps gain persistent access to compromised user accounts, allowing them to view application error data and potentially escalate privileges within the Sentry environment.
If Mitigated
With proper OAuth application vetting and monitoring, impact is limited to isolated account compromise rather than system-wide access.
🎯 Exploit Status
Exploitation requires attacker-controlled OAuth application registration and precise timing of requests. The race condition nature makes exploitation somewhat complex but feasible for determined attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.5.0
Vendor Advisory: https://github.com/getsentry/sentry/security/advisories
Restart Required: Yes
Instructions:
1. Backup your Sentry configuration and database. 2. Stop Sentry services. 3. Update Sentry to version 25.5.0 or higher using your package manager or deployment method. 4. Restart Sentry services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable OAuth Application Registration
allTemporarily disable new OAuth application registrations to prevent attackers from registering malicious applications.
# Configure in Sentry settings or environment variables
# Set SENTRY_FEATURES['auth:register'] = false
Review and Revoke Suspicious OAuth Applications
allAudit existing OAuth applications and revoke access for any suspicious or unnecessary applications.
# Use Sentry admin interface or API to review OAuth applications
# Revoke suspicious applications immediately
🧯 If You Can't Patch
- Implement strict monitoring of OAuth authorization flows and audit logs for suspicious patterns
- Enforce mandatory multi-factor authentication for all Sentry user accounts
🔍 How to Verify
Check if Vulnerable:
Check Sentry version via web interface or API. Versions below 25.5.0 are vulnerable.Check Version:
sentry --version or check Sentry web interface under Admin > System InformationVerify Fix Applied:
Confirm Sentry version is 25.5.0 or higher and test OAuth authorization flows for proper code handling.📡 Detection & Monitoring
Log Indicators:
- Multiple authorization code generation for same user/OAuth app in short timeframe
- OAuth token exchanges after application de-authorization
- Unusual OAuth application registration patterns
Network Indicators:
- Rapid succession of OAuth authorization requests
- Multiple token exchange requests using different authorization codes
SIEM Query:
source="sentry" AND ("authorization_code" OR "oauth_token") | stats count by user, oauth_app | where count > threshold🔗 References
- https://github.com/getsentry/sentry/commit/57f0129e1e977b76fe8d16667a586578791a3dcd
- https://github.com/getsentry/sentry/commit/ab5fd932ca6bd46529ba3308b4669e3cee719b8f
- https://github.com/getsentry/sentry/commit/e6241254aead969e6c8490a81cde9a01335df19d
- https://github.com/getsentry/sentry/pull/85570
- https://github.com/getsentry/sentry/pull/85571
- https://github.com/getsentry/sentry/pull/86069
- https://github.com/getsentry/sentry/pull/86532
- https://github.com/getsentry/sentry/security/advisories/GHSA-mgh8-h4xc-pfmj
