CVE-2025-66558
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66558, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-07-06
AI Q&A
2025-12-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nextcloud two-factor_webauthn From 1.0.0 (inc) to 1.4.2 (exc)
nextcloud two-factor_webauthn From 2.0.0 (inc) to 2.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Twofactor WebAuthn is due to a missing ownership check that allowed an attacker to take away a 2FA WebAuthn device by correctly guessing a long random string (80-128 characters). Although the attacker cannot authenticate as the victim, the victim would be prompted to register a new device on their next login. This issue was fixed in versions 1.4.2 and 2.4.1.

Impact Analysis

The vulnerability can impact you by allowing an attacker to remove your registered 2FA WebAuthn device if they guess the correct long random string. This would force you to register a new 2FA device upon your next login, potentially causing inconvenience and disruption to your authentication process. However, the attacker cannot use this to authenticate as you.

Mitigation Strategies

Update the Nextcloud Twofactor WebAuthn application to version 1.4.2 or 2.4.1 or later, as these versions contain the fix for the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart