VYPR
← All advisories
High severity8.6NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2025-10470

CVE-2025-10470

Description

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.

This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Magic Link authentication flow in WSO2 Identity Server 7.0.0 lacks rate limiting, allowing repeated invalid requests to cause uncontrolled memory growth and denial of service.

Vulnerability

Overview

The Magic Link authentication flow in WSO2 Identity Server 7.0.0 is vulnerable to a denial-of-service (DoS) condition due to the absence of adequate rate limiting or resource control. When multiple invalid authentication requests are processed, the system experiences uncontrolled memory usage growth, which can lead to service unavailability [1].

Exploitation

Conditions

Exploitation requires the deployment to have the Magic Link authenticator enabled. An attacker can trigger the vulnerability by sending a high volume of invalid authentication requests over the network. No authentication is required, and the attack can be carried out over the network with low complexity [1].

Impact

Successful exploitation results in a complete denial of service for the authentication mechanism, preventing legitimate users from accessing the system. The impact is limited to deployments using the Magic Link feature, but within those deployments, the service can become fully unavailable [1].

Mitigation

WSO2 has released a fix in the identity-local-auth-magiclink repository (pull request #61). Affected users should apply the fix or update to WSO2 Identity Server 7.0.0 update level 121 or higher. If patching is not immediately possible, migrating to the latest unaffected version is recommended [1].

References
  1. Security Advisory WSO2-2025-4469/CVE-2025-10470

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.