N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64102

CVE-2025-64102: Zitadel allows brute-forcing authentication factors

Summary

A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user.

Impact

An attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs.

Affected Versions

All versions within the following ranges, including release candidates (RCs), are affected:

4.x: 4.0.0 to 4.4.0 (including RC versions)
3.x: 3.0.0 to 3.4.2 (including RC versions)
2.x: v2.0.0 to 2.71.17

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by enforcing the lockout policy on all OTP, TOTP and password checks. Additionally a “tar pit” has been introduced to slow down brute-force attacks by default. Zitadel responses will be delayed by t seconds, where t increases over the number of failed attempts within a given timeframe.

4.x: Upgrade to >=4.6.0 3.x: Update to >=3.4.3 2.x: Update to >=2.71.18

Workarounds

The recommended solution is to update Zitadel to a patched version.

The problem might be mitigated by enabling the optional logout policy ("Password maximum attempts") or by implementing more strict rate limits.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

This vulnerability was found by zentrust partners GmbH during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann. The full report will be made public after the complete review.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64102

CVE-2025-64102:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel/v2	go	< 2.71.18	2.71.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the absence of a brute-force mitigation mechanism for authentication factors like passwords, OTPs, and TOTPs. The provided patch addresses this by introducing a 'tarpit' feature, which adds a delay that increases with the number of failed authentication attempts. The analysis of the patch identified the core functions responsible for verifying these authentication factors. The functions checkPassword, checkTOTP, and checkOTP in the internal/command package are the central points where these checks occur. The patch modifies these functions and their callers to include a call to the new tarpit function upon a failed attempt. Specifically, the signatures of these functions were changed to accept a tarpit function pointer. The checkCurrentPassword method, used during password changes, was also modified to incorporate this protection. The new verifyPasswordWithLockoutPolicy function encapsulates the vulnerable logic and now includes the fix. These functions would be active during any authentication attempt, and therefore, their presence in a runtime profile would indicate the execution of the vulnerable code path.

Vulnerable functions

command.checkPassword

internal/command/user_human_password.go

This function checks the user's password. Before the patch, it lacked any mechanism to prevent or slow down brute-force attacks, allowing an attacker to make numerous attempts without penalty. The patch adds a 'tarpit' parameter to introduce delays after failed attempts.

command.checkTOTP

internal/command/user_human_otp.go

This function verifies a TOTP code. It was vulnerable to brute-force attacks as it did not implement any delay or lockout mechanism on failed attempts. The patch introduces a 'tarpit' function call to slow down repeated attempts.

command.checkOTP

internal/command/user_human_otp.go

This function is used to verify OTP codes for SMS and Email. It was missing brute-force protection, allowing an attacker to guess codes repeatedly. The patch adds a 'tarpit' function to introduce a delay after each failed attempt.

command.(*Commands).checkCurrentPassword

internal/command/user_human_password.go

This method is used when changing a password to verify the user's current password. This verification step was vulnerable to brute-force attacks. The patch refactored the logic and introduced a 'tarpit' to mitigate this vulnerability.

command.verifyPasswordWithLockoutPolicy

internal/command/user_human_password.go

This new function contains the core password verification logic, which was previously part of `checkPassword`. It was vulnerable because it lacked rate-limiting. The patch adds a call to the 'tarpit' function to slow down brute-force attempts.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64102: Zitadel allows brute-forcing authentication factors

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

CVE-2025-64102:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64102: Zitadel allows brute-forcing authentication factors

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI