Improper Validation of Certificate Expiration

CVE-2025-59036

Medium

5.5/10

Summary

Infrahub offers a central hub to manage data, templates, and playbooks. Prior to version 1.3.9 and 1.4.x through 1.4.4, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-298 - Improper Validation of Certificate Expiration

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

References

Advisory
Release Note
Pull request

Advisory Timeline

Published Sep 09, 2025

Improper Validation of Certificate Expiration

CVE-2025-59036

Summary

CWE-298 - Improper Validation of Certificate Expiration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS