CVE-2025-64103
published 2025-10-29CVE-2025-64103: Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.34%
25.4th percentile
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20251029091250-b284f8474eed | 1.80.0-v2.20.0.20251029091250-b284f8474eed |
| github.com | zitadel_zitadel_v2 | 2.53.6 – 2.53.9 | — |
| github.com | zitadel_zitadel_v2 | 2.54.3 – 2.54.10 | — |
| github.com | zitadel_zitadel_v2 | >= 2.55.0 < 2.71.18 | 2.71.18 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | 2.53.6 – 2.53.9 | — |
| zitadel | zitadel | 2.54.3 – 2.54.10 | — |
| zitadel | zitadel | >= 2.55.0 < 2.71.18 | 2.71.18 |
| zitadel | zitadel | >= 3.0.0 < 3.4.3 | 3.4.3 |
| zitadel | zitadel | >= 4.0.0 < 4.6.0 | 4.6.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
osv·2025-11-05
CVE-2025-64103 Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v2.55.0 before v2.71.18.
GHSA
Zitadel May Bypass Second Authentication Factor
ghsa·2025-10-29
CVE-2025-64103 [HIGH] CWE-287 Zitadel May Bypass Second Authentication Factor
Zitadel May Bypass Second Authentication Factor
### Summary
A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified.
### Impact
Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.
Starting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled `requireMFA` or `requireMFAForLocalUsers`. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple f
OSV
Zitadel May Bypass Second Authentication Factor
osv·2025-10-29
CVE-2025-64103 [HIGH] Zitadel May Bypass Second Authentication Factor
Zitadel May Bypass Second Authentication Factor
### Summary
A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified.
### Impact
Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.
Starting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled `requireMFA` or `requireMFAForLocalUsers`. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple f
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-29
Published