Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-53099

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.5, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction requiring only low-level privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 1 product from sentry organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2025, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2025-07-01T15:15:26.277

Last Modified

2025-09-15T18:03:33.857

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-288

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sentry	sentry	< 25.5.0	Yes

References

https://github.com/getsentry/sentry/commit/57f0129e1e977b76fe8d16667a586578791a3dcd Patch ([email protected])
https://github.com/getsentry/sentry/commit/ab5fd932ca6bd46529ba3308b4669e3cee719b8f Patch ([email protected])
https://github.com/getsentry/sentry/commit/e6241254aead969e6c8490a81cde9a01335df19d Patch ([email protected])
https://github.com/getsentry/sentry/pull/85570 Issue Tracking, Patch ([email protected])
https://github.com/getsentry/sentry/pull/85571 Issue Tracking, Patch ([email protected])
https://github.com/getsentry/sentry/pull/86069 Issue Tracking ([email protected])
https://github.com/getsentry/sentry/pull/86532 Issue Tracking ([email protected])
https://github.com/getsentry/sentry/security/advisories/GHSA-mgh8-h4xc-pfmj Vendor Advisory ([email protected])

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For sentry's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.