CVE-2025-66406

Published: Dec 3, 2025Modified: Dec 4, 2025

5.0

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

Exploitability: 0.7 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr

Source: security-advisories@github.com

Timeline

No history available yet.