CVE-2025-67846
📋 TL;DR
This vulnerability allows remote attackers to bypass security patches and execute downgrade attacks on Mintlify Platform deployments. Attackers can force the application to load vulnerable versions by accessing predictable deployment identifiers on Vercel preview domains. This affects Mintlify Platform users with deployments on Vercel before November 15, 2025.
💻 Affected Systems
- Mintlify Platform
📦 What is this software?
Mintlify by Mintlify
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access unpatched critical vulnerabilities (like RCE, data breaches, or privilege escalation) that were previously fixed in newer deployments, effectively bypassing security updates.
Likely Case
Attackers access moderately severe vulnerabilities that were patched in recent updates, potentially exposing sensitive data or enabling limited unauthorized actions.
If Mitigated
With proper controls, impact is limited to accessing only low-severity patched vulnerabilities or none at all if deployment identifiers are properly secured.
🎯 Exploit Status
Exploitation requires identifying deployment URL patterns but doesn't require authentication or special tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-11-15
Vendor Advisory: https://www.mintlify.com/blog/working-with-security-researchers-november-2025
Restart Required: No
Instructions:
1. Update Mintlify Platform to version after November 15, 2025. 2. Ensure deployment infrastructure uses non-predictable identifiers. 3. Verify old vulnerable deployments are properly archived or removed.
🔧 Temporary Workarounds
Disable Vercel Preview Deployments
allTemporarily disable Vercel preview deployments to prevent access to vulnerable versions.
vercel env rm PREVIEW_DEPLOYMENTS_ENABLED
vercel deploy --prod
Implement Access Controls
allAdd authentication or IP restrictions to preview deployment domains.
Configure in Vercel dashboard: Settings > Security > Access Control
🧯 If You Can't Patch
- Implement strict network segmentation to isolate preview deployment domains from untrusted networks.
- Monitor and alert on access attempts to old deployment identifiers using WAF or SIEM rules.
🔍 How to Verify
Check if Vulnerable:
Check if your Mintlify deployment uses Vercel preview domains with predictable git-ref or deployment-id subdomains accessible without authentication.Check Version:
Check Mintlify dashboard or deployment configuration for version date after 2025-11-15.Verify Fix Applied:
Verify that accessing old deployment identifiers no longer loads vulnerable versions and that deployment identifiers are now unpredictable.📡 Detection & Monitoring
Log Indicators:
- Access logs showing requests to old deployment identifiers (git-ref-* or deployment-id-* subdomains)
- Unusual traffic patterns to preview deployment domains
Network Indicators:
- HTTP requests to predictable deployment subdomains
- Traffic to archived deployment URLs
SIEM Query:
source="vercel-logs" AND (uri="*git-ref-*" OR uri="*deployment-id-*") AND response_code=200