Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-64103
Good to know:
Date: October 29, 2025
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Severity Score
Related Resources (6)
Severity Score
Top Fix
Upgrade Version
Upgrade to version github.com/zitadel/zitadel - v2.71.18;github.com/zitadel/zitadel - v3.4.3;github.com/zitadel/zitadel - v4.6.0;github.com/zitadel/zitadel - v1.80.0-v2.20.0.20251029091250-b284f8474eed;https://github.com/zitadel/zitadel.git - v4.6.0;https://github.com/zitadel/zitadel.git - v3.4.3;https://github.com/zitadel/zitadel.git - v2.71.8
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |