High severityNVD Advisory· Published Oct 29, 2025· Updated Oct 30, 2025
Zitadel allows brute-forcing authentication factors
CVE-2025-64102
Description
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadel/v2Go | < 2.71.18 | 2.71.18 |
github.com/zitadel/zitadelGo | < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8 | 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/zitadel/zitadelpkg:golang/github.com/zitadel/zitadel/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8+ 2 more
- (no CPE)range: < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8
- (no CPE)range: < 2.71.18
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xrw9-r35x-x878ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64102ghsaADVISORY
- github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972aghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-4085ghsaWEB
News mentions
0No linked articles in our index yet.