CVE-2025-58445 MEDIUM

CVE-2025-58445: Atlantis Exposes Service Version Publicly on /status API Endpoint

Vendor Runatlantis

Product atlantis

Weakness CWE-200 · Info exposure

Published September 6, 2025

Last update September 8, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service's security posture. This issue does not currently have a fix.

Key dates

02Disclosure timeline

September 6, 2025 CVE published

September 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-58445

Related vulnerabilities

CVE-2025-58445: Atlantis Exposes Service Version Publicly on /status API Endpoint

01Description

02Disclosure timeline

03References

04Related CVE