Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

Nextcloud Twofactor WebAuthn app was updated based on public key

CVE-2025-66558

Description

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Affected products

Nextcloud/Twofactor WebAuthnllm-create
Range: <2.4.1, <1.4.2
nextcloud/security-advisoriesv5
Range: < 1.4.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9qmitrex_refsource_CONFIRM
github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13dmitrex_refsource_MISC
github.com/nextcloud/twofactor_webauthn/pull/881mitrex_refsource_MISC
hackerone.com/reports/3360354mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000