Zitadel Bypass Second Authentication Factor_CVE-2025-64103

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

AI Analysis

Bypassing second authentication factors weakens multifactor authentication, enabling attackers to bypass the more secure factor by targeting the TOTP code alone.

Basic Information

ID CVE-2025-64103

Source GitHub_M

Published Oct 29, 2025 at 18:43

Modified Oct 29, 2025 at 20:42

Affected Product

Vendor zitadel

Product zitadel

Version >= 4.0.0-rc.1, < 4.6.0

Affected Versions zitadel zitadel >= 4.0.0-rc.1, < 4.6.0
zitadel zitadel >= 3.0.0-rc.1, < 3.4.3
zitadel zitadel >= 2.55.0, < 2.71.18
zitadel zitadel >= 2.54.3, <= 2.54.10
zitadel zitadel >= 2.53.6, <= 2.53.9

CWE Classification

CWE-308 CWE-287

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Zitadel

Product Zitadel

Version 2.53.6-2.53.9, 2.54.3-2.54.10, 2.55.0-2.71.18, 3.0.0-rc.1-3.4.3, 4.0.0-rc.1-4.6.0

References

{
    "lastseen": "",
    "description": "Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.",
    "published": "2025-10-29T18:43:46.934Z",
    "modified": "2025-10-29T20:42:41.527Z",
    "type": "cve",
    "title": "Zitadel Bypass Second Authentication Factor",
    "source": "GitHub_M",
    "references": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5\nhttps://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b",
    "id": "CVE-2025-64103",
    "bulletinFamily": "",
    "cwe": [
        "CWE-308",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "zitadel zitadel >= 4.0.0-rc.1, < 4.6.0\nzitadel zitadel >= 3.0.0-rc.1, < 3.4.3\nzitadel zitadel >= 2.55.0, < 2.71.18\nzitadel zitadel >= 2.54.3, <= 2.54.10\nzitadel zitadel >= 2.53.6, <= 2.53.9",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zitadel",
    "version": ">= 4.0.0-rc.1, < 4.6.0",
    "vendor": "zitadel",
    "ai_description": "Bypassing second authentication factors weakens multifactor authentication, enabling attackers to bypass the more secure factor by targeting the TOTP code alone.",
    "ai_severity": "High",
    "ai_vendor": "Zitadel",
    "ai_product": "Zitadel",
    "ai_version": "2.53.6-2.53.9, 2.54.3-2.54.10, 2.55.0-2.71.18, 3.0.0-rc.1-3.4.3, 4.0.0-rc.1-4.6.0",
    "ai_score": 8.7
}