--[ Security Advisory: Hardcoded Private Keys in ATLAS-EPIC Repository (CVE-2025-60639)
 
Published Date: October 11, 2025
CVE ID: CVE-2025-60639
 
-- [ Summary
 
An insecure permissions vulnerability (CWE-798: Use of Hard-coded Credentials)
was discovered in the ATLAS-EPIC repository, exposing a private key and client
ID in the auth/keys directory. This allows unauthenticated remote attackers
to access protected FHIR data pipelines in Palantir Foundry, potentially
leading to sensitive health information disclosure.
 
--[ Affected Software
 
Product: ATLAS-EPIC (Palantir Foundry)
Versions: Main Branch
 
--[ Vulnerability Details
 
The ATLAS-EPIC repository  contains a directory, auth/keys, with hardcoded credentials
used for FHIR authentication:
 
private_key.pem: A 2048-bit RSA private key (unencrypted, ~1.7 KB) stored in plain text.
client_id.txt: Contains a non-secret client ID
 
These files are publicly accessible. Attackers can clone the repository and
use the private key with the client ID to authenticate to FHIR endpoints,
enabling unauthorized access to Palantir Foundry data pipelines.
 
--[ Mitigation
 
* Remove Credentials: Delete the auth/keys directory
* Rotate Keys: Invalidate and regenerate the private key and client ID in Foundry.
 
--[ Disclosure Timeline
 
2025-08-25: Vulnerability discovered during repository audit.
2025-10-10: CVE-2025-60639 assigned by MITRE.
2025-10-11: Public advisory published.


--[ 	Index	 ]--