Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67846

CVE-2025-67846: Mintlify Platform RCE Vulnerability

CVE-2025-67846 is a remote code execution vulnerability in Mintlify Platform that allows attackers to bypass security patches through predictable deployment identifiers. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-67846 Overview

CVE-2025-67846 affects the Mintlify Platform deployment infrastructure prior to the 2025-11-15 release. Remote attackers can bypass applied security patches by requesting older, vulnerable deployments hosted on Vercel preview domains. The flaw stems from predictable deployment identifiers exposed through git-ref and deployment-id subdomains. An attacker who reconstructs a prior deployment URL can force the application to load an unpatched build. This enables downgrade attacks that reintroduce previously fixed vulnerabilities, resulting in limited confidentiality and integrity impact against affected tenants.

Critical Impact

Attackers can reach previously patched code paths by browsing to legacy Vercel preview deployments, effectively nullifying security fixes released for the Mintlify Platform.

Affected Products

  • Mintlify Platform (Vercel-hosted deployment infrastructure) before 2025-11-15
  • Mintlify preview environments accessible via git-ref subdomains
  • Mintlify preview environments accessible via deployment-id subdomains

Discovery Timeline

  • 2025-12-19 - CVE-2025-67846 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-67846

Vulnerability Analysis

The vulnerability is a downgrade attack enabled by exposed, addressable historical deployments. Vercel automatically produces preview URLs for each build, tied to git references and deployment identifiers. Mintlify's deployment infrastructure did not restrict access to these historical previews after production was updated with security fixes. As a result, previous vulnerable revisions of the platform remained reachable at their original URLs. The weakness maps to [CWE-472] Reliance on Untrusted Inputs in a Security Decision, because the platform trusted the client-supplied deployment identifier to determine which build to serve.

Root Cause

The root cause is the persistence and predictability of Vercel preview deployment URLs combined with the absence of access controls or deprecation for outdated builds. When Mintlify shipped patches, older builds containing the vulnerable code remained hosted and network-reachable. Any authenticated or unauthenticated request to a legacy git-ref.mintlify.app or deployment-id.mintlify.app subdomain returned the corresponding unpatched application version.

Attack Vector

An attacker enumerates or discovers prior deployment identifiers, then issues an HTTP request directly to the associated preview subdomain. The Mintlify Platform serves the historical build, which still contains the original security defects. The attacker then chains the original vulnerability against the resurrected version. Exploitation requires only network access to the Vercel preview domain and does not require privileges or user interaction.

No verified proof-of-concept code is published for this issue. Public technical background is available in the Kibty blog post and the associated Hacker News discussion.

Detection Methods for CVE-2025-67846

Indicators of Compromise

  • Inbound HTTP requests to Mintlify preview subdomains that reference historical git refs or deployment identifiers rather than the canonical production hostname.
  • Access log entries showing repeated enumeration of *.mintlify.app or Vercel preview hostnames from a single source.
  • Application telemetry indicating execution of code paths that were removed or modified in the current production build.

Detection Strategies

  • Correlate CDN and origin access logs to identify requests that resolve to non-current deployment IDs.
  • Alert on traffic patterns that bypass the canonical production hostname in favor of preview subdomains for authenticated user flows.
  • Baseline the set of active deployment identifiers and flag requests to any identifier outside that allowlist.

Monitoring Recommendations

  • Ingest Vercel and Mintlify deployment access logs into a centralized analytics platform for retention and correlation.
  • Monitor for automated scanners probing predictable subdomain patterns against Mintlify-hosted tenants.
  • Track authentication and session activity against preview domains and treat any such activity as suspicious.

How to Mitigate CVE-2025-67846

Immediate Actions Required

  • Confirm your Mintlify tenant is served from the platform release dated 2025-11-15 or later.
  • Block or redirect traffic to legacy Vercel preview subdomains at the DNS, WAF, or edge layer.
  • Rotate any secrets, tokens, or session identifiers that may have been exposed by prior vulnerable deployments.

Patch Information

Mintlify released fixes to the deployment infrastructure on 2025-11-15. The vendor documented the response in the Mintlify security research blog post and platform updates are tracked in the Mintlify documentation changelog. No customer-side patch is required; the fix is applied at the platform level by restricting access to historical deployments.

Workarounds

  • Enforce access to the Mintlify site only through the canonical production domain using CSP, HSTS, and referrer policies.
  • Configure an edge proxy or WAF rule to reject requests whose Host header matches a Vercel preview pattern.
  • Disable or expire outdated preview deployments as part of a regular release hygiene process.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.