What is CVE-2025-66406?

CVE-2025-66406 is a medium-severity vulnerability in Smallstep Certificates, classified under Incorrect Authorization. CVSS score: 5.0/10. Published 2025-12-03.

How severe is CVE-2025-66406?

Medium severity. CVSS v3 base score is 5.0 out of 10.

Auth bypass in Smallstep Certificates

CVE-2025-66406

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHP…

Vulnerability class: Broken Access Control

EPSS: 0.000 (8.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H.

Affected products

Smallstep Certificates — versions < 0.29.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-66406?: CVE-2025-66406 is a medium-severity vulnerability in Smallstep Certificates, classified under Incorrect Authorization. CVSS score: 5.0/10. Published 2025-12-03.
How severe is CVE-2025-66406?: Medium severity. CVSS v3 base score is 5.0 out of 10.