CVE-2025-64103

EPSS 0.31%
Veröffentlicht 29.10.2025 18:43:46
Zuletzt bearbeitet 04.11.2025 13:17:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Zitadel Bypass Second Authentication Factor

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zitadel ≫ Zitadel Version >= 2.53.6 <= 2.53.9

Zitadel ≫ Zitadel Version >= 2.54.3 <= 2.54.10

Zitadel ≫ Zitadel Version >= 2.55.0 < 2.71.18

Zitadel ≫ Zitadel Version >= 3.0.0 < 3.4.3

Zitadel ≫ Zitadel Version >= 4.0.0 < 4.6.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.221

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-308 Use of Single-factor Authentication

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5

Vendor Advisory

https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-64103

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-64103

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-64103

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-64103