Login Sign Up

CVE-2025-57816

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to bypass rate limiting protections in Fides privacy engineering platform deployments that rely on its built-in IP-based rate limiting. It affects environments using CDNs, proxies, or load balancers where the system incorrectly identifies infrastructure IPs instead of client IPs. Only deployments using Fides's built-in rate limiting are vulnerable; those using external rate limiting solutions are unaffected.

💻 Affected Systems

Products:
  • Fides
Versions: All versions prior to 2.69.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Fides's built-in IP-based rate limiting. Deployments using external rate limiting solutions are not vulnerable.

📦 What is this software?

Fides by Ethyca

View all CVEs affecting Fides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through unlimited API requests overwhelming the Fides webserver, potentially disrupting privacy operations and data processing.

🟠

Likely Case

Partial service degradation through excessive API requests that would normally be rate-limited, impacting performance and availability.

🟢

If Mitigated

No impact if external rate limiting (WAF, API gateway) is already deployed or if the vulnerability is patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending excessive API requests through infrastructure that obscures client IPs (CDNs, proxies, load balancers).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.69.1

Vendor Advisory: https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf

Restart Required: Yes

Instructions:

1. Update Fides to version 2.69.1 or later. 2. Restart the Fides webserver service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Implement external rate limiting

all

Deploy a WAF, API gateway, or similar external rate limiting solution that correctly handles client IP identification behind proxies/CDNs.

🧯 If You Can't Patch

  • Deploy an external rate limiting solution (WAF, API gateway) that properly identifies client IPs.
  • Monitor API traffic for unusual patterns and implement alerting for potential abuse.

🔍 How to Verify

Check if Vulnerable:

Check if running Fides version earlier than 2.69.1 and using built-in rate limiting without external protection.

Check Version:

Check Fides configuration or deployment manifest for version information.

Verify Fix Applied:

Confirm Fides version is 2.69.1 or later and test rate limiting behavior with requests through a proxy/CDN.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high volume of API requests from single infrastructure IPs
  • Rate limiting logs showing counters not incrementing per client

Network Indicators:

  • Sustained high-volume API traffic patterns that bypass expected rate limits

SIEM Query:

source="fides" AND (message="rate limit" OR message="API request") | stats count by src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2025-57816
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-799
EPSS Score: 0.03% exploit probability (9.7th percentile)
Published: September 8, 2025
Last Updated: September 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57816, you might also want to check these:

CVE-2025-54321 9.8

Ascertia SigningHub versions through 8.6.8 have a rate limiting vulnerability in the password reset ...

Same vulnerability type (CWE-799)
CVE-2023-35621 7.5

This vulnerability in Microsoft Dynamics 365 Finance and Operations allows attackers to cause a deni...

Same vulnerability type (CWE-799)
CVE-2024-45788 7.5

This vulnerability allows authenticated attackers to send unlimited OTP requests to specific API end...

Same vulnerability type (CWE-799)