CVE-2025-59036 — Infrahub: Deleted and expired API tokens can still authenticate

Description

### Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. ### Patches This issue is fixed in versions `1.3.9` and `1.4.5` ### Workarounds Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

How to fix CVE-2025-59036

To remediate CVE-2025-59036, upgrade the affected package to a fixed version below.

—upgrade to 1.3.9 or later

Is CVE-2025-59036 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59036
PATCHgithub.com/opsmill/infrahub
WEBgithub.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1
WEBgithub.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228