CVE-2025-64103

Oct. 29, 2025, 7:15 p.m.

8.7
High

Description

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Product(s) Impacted

Vendor Product Versions
Zitadel
  • Zitadel
  • 2.53.6, 2.54.3, 2.55.0, 4.6.0, 3.4.3, 2.71.18

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a zitadel zitadel 2.53.6 / / / / / / /
a zitadel zitadel 2.54.3 / / / / / / /
a zitadel zitadel 2.55.0 / / / / / / /
a zitadel zitadel 4.6.0 / / / / / / /
a zitadel zitadel 3.4.3 / / / / / / /
a zitadel zitadel 2.71.18 / / / / / / /

References

https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b
https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5

Tags

security-advisories@github.com
CWE-287
2025-10-29
CVE-2025-64103

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Oct. 29, 2025, 7:15 p.m.
Last Modified: Oct. 29, 2025, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.