CVE-2025-23013Unexpected Status Code or Return Value in Pam-u2f

CWE-394Unexpected Status Code or Return Value5 documents5 sources
Severity
7.3HIGHNVD
EPSS
0.0%
top 90.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Yubico Pam-u2fDebian Pam-u2f
Timeline
PublishedJan 15
Latest updateOct 6

Description

In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may al

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5yubico/pam-u2f< 1.3.1
Debianyubico/pam-u2f< 1.1.0-1.1+deb11u1+3
debiandebian/pam-u2f< pam-u2f 1.1.0-1.1+deb12u1 (bookworm)

🔴Vulnerability Details

2
GHSA
GHSA-wwr4-cj7g-985f: In Yubico pam-u2f before 12025-01-15
OSV
CVE-2025-23013: In Yubico pam-u2f before 12025-01-15

📋Vendor Advisories

2
Ubuntu
PAM/U2F vulnerability2025-10-06
Debian
CVE-2025-23013: pam-u2f - In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. ...2025
CVE-2025-23013 — Unexpected Status Code or Return Value | cvebase