CVE-2025-64102
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64102, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-07-06
AI Q&A
2025-10-29
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 2.71.18 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.3 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Zitadel, an open-source identity infrastructure software, allows an attacker to perform an online brute-force attack on OTP, TOTP, and passwords. Although Zitadel has a lockout mechanism to prevent such attacks, it is not enabled by default and can cause denial of service if enabled. Additionally, the mitigation is not fully implemented in newer resource-based APIs. The issue is fixed in versions 4.6.0, 3.4.3, and 2.71.18.

Impact Analysis

An attacker could repeatedly attempt to guess OTPs, TOTPs, or passwords, potentially gaining unauthorized access to accounts. If the lockout mechanism is enabled to prevent this, it could cause denial of service for legitimate users by locking their accounts. This can lead to compromised security and service disruption.

Mitigation Strategies

To mitigate this vulnerability, upgrade Zitadel to version 4.6.0, 3.4.3, or 2.71.18 or later, where the issue is fixed. Additionally, consider enabling the lockout mechanism to prevent online brute-force attacks on OTP, TOTP, and passwords, but be aware that enabling this mechanism may cause denial of service for the corresponding user. Note that mitigation strategies may not be fully implemented in recent resource-based APIs, so upgrading is the most reliable step.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart