CVE-2025-59044
📋 TL;DR
Himmelblau 0.9.x versions derive numeric GIDs from Entra ID group display names, allowing distinct groups with identical names to map to the same GID. This enables unauthorized access to resources protected by numeric GID authorization on Linux hosts. Affected users are organizations using Himmelblau 0.9.0-0.9.22 with default configuration.
💻 Affected Systems
- Himmelblau
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Privileged security group resources become accessible to unauthorized users who create/join different groups with identical display names, potentially leading to data exposure or privilege escalation.
Likely Case
Accidental or opportunistic access to files/directories when users create personal/O365 groups with names matching existing security groups.
If Mitigated
Minimal impact if proper tenant policies restrict group creation or if systems use alternative authorization methods.
🎯 Exploit Status
Requires user ability to create/join Entra ID/O365 groups and knowledge of existing privileged group names.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.23 or 1.0.0+
Vendor Advisory: https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-2m43-mmg9-3rgc
Restart Required: No
Instructions:
1. Backup current configuration. 2. Upgrade Himmelblau to version 0.9.23 or higher. 3. Verify group mappings now use Entra ID object IDs (GUIDs).
🔧 Temporary Workarounds
Restrict Group Creation
allImplement tenant policies to prevent arbitrary group creation until all hosts are patched.
🧯 If You Can't Patch
- Implement strict tenant policies restricting group creation and naming conventions.
- Audit and monitor group creation activities for suspicious naming patterns.
🔍 How to Verify
Check if Vulnerable:
Check Himmelblau version with 'himmelblau --version' and verify if id_attr_map = name in himmelblau.conf.Check Version:
himmelblau --versionVerify Fix Applied:
After upgrade, verify group mappings use GUIDs instead of display names by checking group resolution.📡 Detection & Monitoring
Log Indicators:
- Unexpected access patterns to protected resources
- Group creation events with names matching existing security groups
SIEM Query:
Search for group creation events where displayName matches known privileged group names.