CVE-2025-53099
Sentry Missing Invalidation of Authorization Codes During OAuth Exchange and RevocationSentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.
We have discovered 62 live websites that are affected by CVE-2025-53099.
Affected Software
| Product |  Sentry Server |
| Category | Error and Exception Monitoring |
| Vulnerable Domains | 62 live websites (100% of Sentry Server install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-288 Authentication Bypass Using an Alternate Path or ChannelDetails
- Published - Jul 1, 2025
- Updated - Jul 1, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-53099 United States | 19 websites |
 Germany | 11 websites |
 France | 10 websites |
 Iran | 3 websites |
 Russia | 3 websites |
 Australia | 2 websites |
 Switzerland | 2 websites |
 China | 2 websites |
 GB | 2 websites |
 Hungary | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2025-53099| .com | 23 websites |
| .it | 5 websites |
| .de | 4 websites |
| .co | 2 websites |
| .com.au | 2 websites |
| .ru | 2 websites |
| .ch | 1 websites |
| .cn | 1 websites |
| .eu | 1 websites |
| .io | 1 websites |
Websites affected by CVE-2025-53099
Top websites that are affected by CVE-2025-53099. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.********.eu | Switzerland | ***,*** | |
| ***.***********.com | United States | ***,*** | |
| **************.*******.me |  Brazil | *,***,*** | |
| ********.com | Germany | *,***,*** | |
| ******.******.com | United States | *,***,*** | |
| *****.com | United States | *,***,*** | |
| *******.****.ch | Switzerland | *,***,*** | |
| ******.****.*.io | GB | *,***,*** | |
| ******.****************.solutions | United States | *,***,*** | |
| ******.****.com | United States | **,***,*** |
FAQ
CVE-2025-53099 is Authentication Bypass Using an Alternate Path or Channel in Sentry Server
A total of 62 websites have been identified as vulnerable to CVE-2025-53099, based on global website indexing conducted by WebTechSurvey.
The Sentry Server is affected by the CVE-2025-53099 vulnerability.
Sentry Server versions up to 25.5 are vulnerable to CVE-2025-53099.
CVE-2025-53099 is resolved in version 25.5 of Sentry Server.
References
- https://github.com/getsentry/sentry/security/advisories/GHSA-mgh8-h4xc-pfmj
- https://github.com/getsentry/sentry/pull/85570
- https://github.com/getsentry/sentry/pull/85571
- https://github.com/getsentry/sentry/pull/86069
- https://github.com/getsentry/sentry/pull/86532
- https://github.com/getsentry/sentry/commit/57f0129e1e977b76fe8d16667a586578791a3dcd
- https://github.com/getsentry/sentry/commit/ab5fd932ca6bd46529ba3308b4669e3cee719b8f
- https://github.com/getsentry/sentry/commit/e6241254aead969e6c8490a81cde9a01335df19d