Atlantis Exposes Service Version Publicly on /status API Endpoint
Description
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service's security posture. This issue does not currently have a fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Atlantis exposes its version via the unauthenticated /status endpoint, allowing attackers to identify and target known vulnerabilities.
Vulnerability
Overview
CVE-2025-58445 describes an information disclosure vulnerability in Atlantis, a self-hosted Go application that automates Terraform workflows via pull request webhooks. The /status endpoint, intended as a health check, returns detailed version and build information without requiring authentication [1][2]. This violates security best practices that recommend minimizing exposed metadata.
Exploitation
An attacker can simply issue a GET request to http:///status to retrieve the version string. No authentication or special network position is required. The disclosed version can then be cross-referenced with public vulnerability databases (e.g., NVD) to identify known flaws in that specific release [2]. This lowers the barrier for targeted attacks.
Impact
The vulnerability is classified as information disclosure. While it does not directly allow code execution, it enables attackers to tailor exploits based on the exact version of Atlantis and its dependencies. This could lead to broader compromise if the underlying software has exploitable vulnerabilities [2]. All versions of Atlantis are affected, and no fix is currently available [1][2].
Mitigation
As of the publication date, there is no patch. Administrators are advised to restrict access to the /status endpoint using network-level controls (e.g., firewall rules or reverse proxy authentication) until an official fix is released [2]. The issue is tracked in the project's GitHub repository [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/runatlantis/atlantisGo | <= 0.35.1 | — |
Affected products
1- runatlantis/atlantisv5Range: <= 0.35.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xh7v-965r-23f7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58445ghsaADVISORY
- github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.