CVE-2025-64102
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64102
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 2.71.18 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.3 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Zitadel, an open-source identity infrastructure software, allows an attacker to perform an online brute-force attack on OTP, TOTP, and passwords. Although Zitadel has a lockout mechanism to prevent such attacks, it is not enabled by default and can cause denial of service if enabled. Additionally, the mitigation is not fully implemented in newer resource-based APIs. The issue is fixed in versions 4.6.0, 3.4.3, and 2.71.18.

Impact Analysis

An attacker could repeatedly attempt to guess OTPs, TOTPs, or passwords, potentially gaining unauthorized access to accounts. If the lockout mechanism is enabled to prevent this, it could cause denial of service for legitimate users by locking their accounts. This can lead to compromised security and service disruption.

Mitigation Strategies

To mitigate this vulnerability, upgrade Zitadel to version 4.6.0, 3.4.3, or 2.71.18 or later, where the issue is fixed. Additionally, consider enabling the lockout mechanism to prevent online brute-force attacks on OTP, TOTP, and passwords, but be aware that enabling this mechanism may cause denial of service for the corresponding user. Note that mitigation strategies may not be fully implemented in recent resource-based APIs, so upgrading is the most reliable step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart