关键信息 漏洞标题 Missing Invalidation of Authorization Codes During OAuth Exchange and Revocation 严重性 Moderate CVE ID CVE-2025-53099 影响 An attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. 受影响版本 <25.5.0 修复版本 25.5.0 补丁 Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action. 绕过方法 There are no known workarounds available for this vulnerability. Sentry self-hosted users should upgrade to 25.5.0 or higher. 弱点 CWE-288 报告者 rakesh0x7