CVE-2025-10470
Analyzed Analyzed - Analysis Complete
Memory Exhaustion in Magic Link Authenticator

Publication date: 2026-05-11

Last updated on: 2026-05-27

Assigner: WSO2 LLC

Description
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-27
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2025-10470
EUVD
EUVD-2025-209760
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server From 7.0.0 (inc) to 7.0.0.121 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10470 is a high-severity Denial-of-Service (DoS) vulnerability in WSO2 Identity Server version 7.0.0 that affects the Magic Link authentication feature.

The vulnerability arises because the Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, which causes uncontrolled memory consumption.

This uncontrolled memory growth can lead to service unavailability by disabling the authentication mechanism.

Impact Analysis

This vulnerability can cause a denial-of-service condition by exhausting memory resources through repeated invalid authentication attempts.

As a result, the authentication service may become unavailable, preventing legitimate users from accessing the system.

The impact is limited to deployments that use the Magic Link authenticator and requires repeated invalid requests to trigger.

Detection Guidance

This vulnerability can be detected by monitoring for multiple invalid Magic Link authentication requests that cause abnormal memory usage growth on the WSO2 Identity Server.

Specifically, detection involves observing repeated failed authentication attempts targeting the Magic Link feature and correlating these with spikes in memory consumption that may lead to service unavailability.

While no specific commands are provided in the available resources, typical approaches include using system monitoring tools to track memory usage (e.g., 'top', 'htop', or 'free' on Linux systems) and analyzing authentication logs for repeated invalid Magic Link requests.

Mitigation Strategies

To mitigate this vulnerability immediately, apply the patch provided by WSO2 or update to a newer version of WSO2 Identity Server that includes the fix.

Users with support subscriptions should apply the specified update level (121) to address the issue.

Until the patch or update is applied, consider monitoring and limiting the rate of Magic Link authentication requests to prevent uncontrolled memory usage growth.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart