CVE-2025-66558
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | two-factor_webauthn | From 1.0.0 (inc) to 1.4.2 (exc) |
| nextcloud | two-factor_webauthn | From 2.0.0 (inc) to 2.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Twofactor WebAuthn is due to a missing ownership check that allowed an attacker to take away a 2FA WebAuthn device by correctly guessing a long random string (80-128 characters). Although the attacker cannot authenticate as the victim, the victim would be prompted to register a new device on their next login. This issue was fixed in versions 1.4.2 and 2.4.1.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to remove your registered 2FA WebAuthn device if they guess the correct long random string. This would force you to register a new 2FA device upon your next login, potentially causing inconvenience and disruption to your authentication process. However, the attacker cannot use this to authenticate as you.
What immediate steps should I take to mitigate this vulnerability?
Update the Nextcloud Twofactor WebAuthn application to version 1.4.2 or 2.4.1 or later, as these versions contain the fix for the vulnerability.