CVE-2025-10470
Memory Exhaustion in Magic Link Authenticator
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | identity_server | From 7.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10470 is a high-severity Denial-of-Service (DoS) vulnerability in WSO2 Identity Server version 7.0.0 that affects the Magic Link authentication feature.
The vulnerability arises because the Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, which causes uncontrolled memory consumption.
This uncontrolled memory growth can lead to service unavailability by disabling the authentication mechanism.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition by exhausting memory resources through repeated invalid authentication attempts.
As a result, the authentication service may become unavailable, preventing legitimate users from accessing the system.
The impact is limited to deployments that use the Magic Link authenticator and requires repeated invalid requests to trigger.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for multiple invalid Magic Link authentication requests that cause abnormal memory usage growth on the WSO2 Identity Server.
Specifically, detection involves observing repeated failed authentication attempts targeting the Magic Link feature and correlating these with spikes in memory consumption that may lead to service unavailability.
While no specific commands are provided in the available resources, typical approaches include using system monitoring tools to track memory usage (e.g., 'top', 'htop', or 'free' on Linux systems) and analyzing authentication logs for repeated invalid Magic Link requests.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, apply the patch provided by WSO2 or update to a newer version of WSO2 Identity Server that includes the fix.
Users with support subscriptions should apply the specified update level (121) to address the issue.
Until the patch or update is applied, consider monitoring and limiting the rate of Magic Link authentication requests to prevent uncontrolled memory usage growth.