CVE-2025-64102

High CVSS: 7.7

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Vendor

Zitadel

Product

Zitadel

CWE

CWE-307

Yayın Tarihi

2025-10-29 19:15:38

Güncelleme

2025-11-04 13:18:57

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-307 Zitadel HIGH Zitadel 2025

Referanslar

https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878

Benzer Kayıtlar

Medium

CVE-2026-33132

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users t…

High

CVE-2026-32132

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Z…

High

CVE-2026-32130

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a Syste…

High

CVE-2026-32131

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Manageme…

Critical

CVE-2026-29191

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login…

High

CVE-2026-29192

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login…