N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64103

GHSA ID

GHSA-cfjq-28r2-4jv5

EPSS Score

CWE

CWE-287

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64103

CVE-2025-64103: Zitadel May Bypass Second Authentication Factor

Summary

A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified.

Impact

Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.

Starting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors.

Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled.

Affected Versions

Systems using the session API (v2 beta and v2) directly or via the new login UI in the following versions are affected:

4.x: 4.0.0 to 4.5.0 (including RC versions)
3.x: 3.0.0 to 3.4.2 (including RC versions)
2.x: v2.53.6 to v2.53.9, v2.54.3 to v2.54.10, 2.55.0 to 2.71.17

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring a configured second factor regardless of the login policies requireMFA or requireMFAForLocalUsers configuration.

4.x: Upgrade to >=4.6.0 3.x: Update to >=3.4.3 2.x: Update to >=2.71.18

Workarounds

The recommended solution is to update Zitadel to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

This vulnerability was found by zentrust partners GmbH during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann. The full report will be made public after the complete review.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64103

CVE-2025-64103:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64103

GHSA ID

GHSA-cfjq-28r2-4jv5

EPSS Score

CWE

CWE-287

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel/v2	go	>= 2.53.6, <= 2.53.9
github.com/zitadel/zitadel/v2	go	>= 2.54.3, <= 2.54.10
github.com/zitadel/zitadel/v2	go	>= 2.55.0, <= 2.71.17	2.71.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit b284f8474eed0cba531905101619e7ae7963156b clearly indicates that the root cause of the vulnerability was in the checkAuthentication function located in internal/authz/repository/eventsourcing/eventstore/token_verifier.go. The vulnerability description states that Zitadel would prematurely mark sessions as authenticated with only one factor verified, even if a second factor was configured by the user, unless a policy enforced MFA. The code changes directly address this flaw. The original code only checked domain.RequiresMFA, which evaluated policy settings. The patched code introduces a new condition, domain.Has2FA(allowedFactors), which checks if the user has any second-factor authentication methods set up. By adding this check with an OR condition, the logic now correctly enforces MFA for any user who has it configured, regardless of whether a policy mandates it. The other modified files, such as those for database queries and domain logic, were changed to support this primary fix by providing the necessary data (e.g., user's configured factors) to the checkAuthentication function. Therefore, checkAuthentication is the precise location of the vulnerable logic and the function that would be in the call stack during an exploit attempt.

Vulnerable functions

eventstore.(*TokenVerifierRepo).checkAuthentication

internal/authz/repository/eventsourcing/eventstore/token_verifier.go

The vulnerability lies in the `checkAuthentication` function, which is responsible for verifying authentication requirements. Before the patch, this function only enforced Multi-Factor Authentication (MFA) if it was explicitly required by a login policy (`ForceMFA`). It failed to account for users who had voluntarily configured a second factor but were not subject to a mandatory MFA policy. This allowed an attacker to authenticate using only a single factor, bypassing the user's configured second factor. The patch corrects this by adding a check to see if the user has any second factors set up (`domain.Has2FA(allowedFactors)`). If they do, MFA is required regardless of the policy, thus closing the security gap.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64103: Zitadel May Bypass Second Authentication Factor

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

CVE-2025-64103:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

CVE-2025-64103: Zitadel May Bypass Second Authentication Factor

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI