CVE-2025-66558
- Source
- https://cve.org/CVERecord?id=CVE-2025-66558
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66558.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66558
- Aliases
-
- GHSA-fr8x-mvjg-wf9q
- Published
- 2025-12-05T18:00:49.792Z
- Modified
- 2026-03-01T02:54:49.495034Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Nextcloud Twofactor WebAuthn app was updated based on public key
- Details
-
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66558.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-639" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66558.json
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q
- https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d
- https://github.com/nextcloud/twofactor_webauthn/pull/881
- https://hackerone.com/reports/3360354
- https://nvd.nist.gov/vuln/detail/CVE-2025-66558