CVE-2025-65109 Overview
CVE-2025-65109 affects Minder, an open source software supply chain security platform maintained by mindersec. The vulnerability allows authenticated users to make the Minder server fetch content from URLs in the server's network context. This includes resources the user would not normally have access to from their own context. The flaw is classified under CWE-830 (Inclusion of Web Functionality from an Untrusted Source) and behaves as a Server-Side Request Forgery (SSRF) condition. Affected releases include Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions 0.0.72 through 0.0.83.
Critical Impact
Authenticated attackers can coerce the Minder server into fetching URLs on its behalf, exposing internal resources and confidential data accessible to the server's identity.
Affected Products
- Minder Helm chart version 0.20241106.3386+ref.2507dbf and later (prior to 0.20250203.3849+ref.fdc94f0)
- Minder Go module versions 0.0.72 through 0.0.83
- Self-hosted Minder server deployments using affected Helm or Go releases
Discovery Timeline
- 2025-11-21 - CVE-2025-65109 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-65109
Vulnerability Analysis
Minder provides supply chain security features that fetch external content as part of policy evaluation and rule processing. The vulnerable code paths accept user-supplied URLs and dispatch HTTP requests from the Minder server process. Because the server may have network access to internal services, cloud metadata endpoints, or private repositories, attackers can target resources that are unreachable from the client's network. The issue is tracked in GitHub Security Advisory GHSA-6xvf-4vh9-mw47.
Root Cause
The root cause is missing validation and isolation of URLs supplied to server-side fetch operations. Minder treated user-controlled URLs as trusted inputs for outbound HTTP requests. The fix introduced in the remediation commit constrains how the server resolves and retrieves user-provided content. This aligns with the [CWE-830] categorization, where functionality from an untrusted source is included in privileged execution contexts.
Attack Vector
Exploitation requires network access to the Minder API and low-privileged authentication. An attacker submits a crafted URL through a Minder feature that fetches remote content during rule or profile evaluation. The Minder server retrieves the URL with its own credentials and network reachability. Returned content may be reflected to the attacker or used in downstream policy decisions. Targets typically include internal HTTP services, cloud instance metadata endpoints, and private Git repositories accessible to the server identity.
No public proof-of-concept exploit is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-65109
Indicators of Compromise
- Outbound HTTP requests from the Minder server process to internal RFC1918 addresses or cloud metadata endpoints such as 169.254.169.254
- Minder audit log entries showing user-submitted rule or profile content referencing unexpected URL schemes or internal hostnames
- Unusual response sizes or error patterns in Minder fetch operations correlated with low-privileged user activity
Detection Strategies
- Inspect Minder application logs for fetch operations initiated by non-administrative accounts and validate the destination URLs against an allowlist
- Correlate egress proxy or firewall logs with the Minder server's source IP to identify requests to internal services or metadata APIs
- Monitor Minder version metadata in deployment manifests to identify clusters running affected Helm chart or Go module versions
Monitoring Recommendations
- Enable verbose request logging on the Minder server and forward to a centralized analytics platform for retrospective query
- Alert on any outbound connection from the Minder pod or host to link-local, loopback, or private network ranges
- Track changes to Minder profiles, rule types, and entity registrations that include external URL references
How to Mitigate CVE-2025-65109
Immediate Actions Required
- Upgrade Minder Helm deployments to version 0.20250203.3849+ref.fdc94f0 or later
- Upgrade Minder Go module installations to version 0.0.84 or later
- Review recent user activity for suspicious URL submissions during the exposure window and rotate any credentials reachable from the Minder server
Patch Information
The maintainers patched the vulnerability in Minder Helm 0.20250203.3849+ref.fdc94f0 and Minder Go 0.0.84. The remediation is implemented in commit f770400923984649a287d7215410ef108e845af8. Operators should consult GHSA-6xvf-4vh9-mw47 for vendor guidance.
Workarounds
- Restrict egress traffic from the Minder server to only the external hosts required for operation, blocking internal address ranges and cloud metadata endpoints
- Limit Minder user permissions so that only trusted roles can create or modify rule types and profiles that perform remote fetches
- Place the Minder server behind an authenticated egress proxy that enforces a URL allowlist for outbound HTTP requests
# Configuration example: upgrade Minder Helm release to the patched version
helm repo update
helm upgrade minder mindersec/minder \
--version 0.20250203.3849+ref.fdc94f0 \
--namespace minder-system
# Verify the deployed version after upgrade
kubectl -n minder-system get deploy minder-server \
-o jsonpath='{.spec.template.spec.containers[0].image}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

