In January 2025, a critical security vulnerability, identified as CVE-2025-22146, was discovered in Sentry's Security Assertion Markup Language (SAML) Single Sign-On (SSO) implementation. Sentry is a widely known and used developer-first error tracking and performance monitoring solution. This vulnerability was brought to our attention through our private bug bounty program, and here, we will discuss the specific details of the vulnerability, relevant code snippets, original references, and the steps necessary to prevent exploitation of this vulnerability.
The Vulnerability: CVE-2025-22146
CVE-2025-22146 allows an attacker to take over any user account associated with a Sentry instance by using a malicious SAML Identity Provider (IdP) and another organization on the same Sentry instance. To exploit this vulnerability, the attacker must know the email address of the victim. The Sentry SaaS fix for this vulnerability was deployed on January 14, 2025. If you have a self-hosted Sentry instance with only a single organization allowed (SENTRY_SINGLE_ORGANIZATION = True), you don't need to take any action. However, if your setup does not have SENTRY_SINGLE_ORGANIZATION set to True, you must upgrade to Sentry version 25.1. or higher. There are no known workarounds for this vulnerability.
The code snippet below demonstrates how the vulnerability was exploited
POST /organizations/example/auth/saml2/callback HTTP/1.1
Host: sentry.example.com
Content-Type: application/x-www-form-urlencoded
...
SAMLResponse=...
Issuer
<ns:Issuer xmlns:ns="urn:oasis:names:tc:SAML:2.:assertion">https://malicious-idp.example.com/metadata</ns:Issuer>;
Subject
<ns:Subject xmlns:ns="urn:oasis:names:tc:SAML:2.:assertion">
<ns:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">victim@example.com</ns:NameID>
...
</ns:Subject>
It's important to note that the actual exploitation might vary depending on the specific Sentry instance configuration and the SAML Identity Provider used.
For more information on CVE-2025-22146, please refer to the following resources
- Sentry's Official GitHub Repository
- Sentry's Official Documentation
- Sentry's Official Blog Post on the Vulnerability
Recommended Mitigation Steps
As previously stated, if you are running a Sentry instance with the SENTRY_SINGLE_ORGANIZATION configuration set to True, you do not need to take any action. However, if this is not the case for your instance, you should take the following steps to protect your users:
Upgrade your Sentry instance to version 25.1. or higher.
2. Review your instance's SAML configuration and ensure that only trusted Identity Providers are allowed to authenticate users.
3. Encourage your users to enable Sentry's Two-Factor Authentication (2FA) as an additional layer of protection.
4. Regularly review and update your organization's security practices to protect against future vulnerabilities.
In conclusion, CVE-2025-22146 demonstrates that even widely trusted and used tools can have critical vulnerabilities. As a Sentry user, it is essential to act promptly to mitigate the risks posed by such vulnerabilities and protect your organization's user accounts.
Timeline
Published on: 01/15/2025 20:15:30 UTC