CVE-2025-66558
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66558
EUVD
EUVD-2025-201460
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nextcloud two-factor_webauthn From 1.0.0 (inc) to 1.4.2 (exc)
nextcloud two-factor_webauthn From 2.0.0 (inc) to 2.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Twofactor WebAuthn is due to a missing ownership check that allowed an attacker to take away a 2FA WebAuthn device by correctly guessing a long random string (80-128 characters). Although the attacker cannot authenticate as the victim, the victim would be prompted to register a new device on their next login. This issue was fixed in versions 1.4.2 and 2.4.1.

Impact Analysis

The vulnerability can impact you by allowing an attacker to remove your registered 2FA WebAuthn device if they guess the correct long random string. This would force you to register a new 2FA device upon your next login, potentially causing inconvenience and disruption to your authentication process. However, the attacker cannot use this to authenticate as you.

Mitigation Strategies

Update the Nextcloud Twofactor WebAuthn application to version 1.4.2 or 2.4.1 or later, as these versions contain the fix for the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart