CVE-2025-64102

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64102

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64102.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64102

Aliases

Published

2025-10-29T18:36:15.390Z

Modified

2025-12-05T10:22:06.626802Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Zitadel allows brute-forcing authentication factors

Details

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Database specific

{
    "cwe_ids": [
        "CWE-307"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64102.json"
}

References

Affected packages

Git / github.com/zitadel/zitadel

Affected ranges

Type

GIT

Repo

https://github.com/zitadel/zitadel

Events

Introduced

8f0b7ebf028187e84881694bb931cbe33604e308

Fixed

f7309f82953713922421add61d85994d876e8999

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-rc.1"
        },
        {
            "fixed": "4.6.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/zitadel/zitadel

Events

Introduced

0f0a55ca18873b85feaca561e6f0b3f081ad4204

Fixed

921ad56a2163f86b8ff32b9ddaaab64bea3d4fd4

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0-rc.1"
        },
        {
            "fixed": "3.4.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/zitadel/zitadel

Events

Introduced

5b284f8c9ba65a88fb4d58ac6aa34be429b19e8e

Fixed

396cdd436cd5e1b217b1f0af4e1a3bd03d1dea5f

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.71.18"
        }
    ]
}

Affected versions

2.*

2.20.0

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.1.1

v2.10.0

v2.11.0

v2.11.1

v2.12.0

v2.13.0

v2.13.1

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.15.0

v2.16.0

v2.16.1

v2.17.0

v2.17.1

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.22.1

v2.22.2

v2.23.0

v2.23.1

v2.24.0

v2.25.0

v2.25.1

v2.25.2

v2.25.3

v2.26.0

v2.26.1

v2.26.2

v2.27.0

v2.27.1

v2.28.0

v2.28.0-rc.1

v2.28.1

v2.29.0

v2.29.0-rc.1

v2.29.0-rc.2

v2.29.0-rc.3

v2.29.0-rc.4

v2.29.1

v2.29.2

v2.29.3

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.30.0

v2.31.0

v2.31.1

v2.31.2

v2.31.3

v2.31.4

v2.31.5

v2.32.0

v2.33.0

v2.33.1

v2.34.0

v2.34.1

v2.35.0

v2.35.1

v2.36.0

v2.36.1

v2.36.2

v2.36.3

v2.37.0

v2.37.1

v2.37.2

v2.37.3

v2.38.0

v2.38.1

v2.39.0

v2.39.1

v2.39.2

v2.39.3

v2.4.0

v2.40.0

v2.40.1

v2.40.2

v2.40.3

v2.40.4

v2.40.5

v2.41.0

v2.41.1

v2.41.2

v2.41.3

v2.41.4

v2.41.5

v2.42.0

v2.42.1

v2.42.2

v2.42.3

v2.43.0

v2.43.0-rc.1

v2.43.0-rc.2

v2.43.0-rc.3

v2.43.0-rc.4

v2.43.0-rc.5

v2.43.0-rc.6

v2.43.0-rc.7

v2.43.1

v2.43.2

v2.43.3

v2.43.4

v2.43.5

v2.44.0

v2.44.1

v2.44.2

v2.45.0

v2.46.0

v2.47.0

v2.47.1

v2.47.2

v2.47.3

v2.47.4

v2.47.5

v2.47.6

v2.48.0

v2.48.1

v2.48.2

v2.48.3

v2.49.0

v2.49.1

v2.49.2

v2.49.3

v2.5.0

v2.5.1

v2.50.0

v2.50.1

v2.50.2

v2.50.3

v2.50.4

v2.50.5

v2.51.0

v2.51.1

v2.51.2

v2.51.3

v2.51.4

v2.52.0

v2.52.0-rc.1

v2.52.0-rc.2

v2.52.1

v2.53.0

v2.53.0-rc.1

v2.53.1

v2.53.2

v2.54.0

v2.54.1

v2.54.2

v2.54.3

v2.55.0

v2.55.0-rc.1

v2.55.1

v2.55.2

v2.56.0

v2.56.0-rc.1

v2.56.0-rc.2

v2.56.0-rc.3

v2.56.0-rc.4

v2.56.1

v2.57.0

v2.58.0

v2.58.1

v2.58.2

v2.58.3

v2.59.0

v2.59.1

v2.6.0

v2.60.0

v2.61.0

v2.62.0

v2.62.1

v2.62.2

v2.62.3

v2.63.0

v2.63.1

v2.63.2

v2.63.3

v2.63.4

v2.64.0

v2.64.1

v2.65.0

v2.65.1

v2.65.2

v2.65.3

v2.65.4

v2.66.0

v2.66.1

v2.66.2

v2.66.3

v2.67.0

v2.67.1

v2.67.2

v2.67.3

v2.67.4

v2.68.0

v2.68.1

v2.69.0

v2.69.1

v2.69.2

v2.69.3

v2.7.0

v2.70.0

v2.70.1

v2.71.0

v2.71.1

v2.71.10

v2.71.11

v2.71.12

v2.71.13

v2.71.14

v2.71.15

v2.71.16

v2.71.17

v2.71.2

v2.71.3

v2.71.4

v2.71.5

v2.71.6

v2.71.7

v2.71.8

v2.71.9

v2.8.0

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.0-rc.1

v3.0.0-rc.2

v3.0.0-rc.3

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.4.0

v3.4.1

v3.4.2

v4.*

v4.0.0

v4.0.0-rc.1

v4.0.0-rc.2

v4.0.0-rc.3

v4.0.0-rc.4

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.4.0

v4.5.0