Miggo Logo
Miggo Vulnerability Database
GHSA-jhmr-57cj-q6g9

GHSA-jhmr-57cj-q6g9: Komari vulnerable to 2FA Authentication Bypass

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-jhmr-57cj-q6g9
EPSS Score
-
CWE
CWE-287
Published
8/12/2025
Updated
8/12/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/komari-monitor/komarigo< 0.0.0-20250809064056-cc3d54bff4c60.0.0-20250809064056-cc3d54bff4c6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the provided commit cc3d54bff4c6495beaa1c7483379cd04542c557f clearly indicates a logical flaw in the Login function within the api/login.go file. The patch directly modifies the conditional statement responsible for verifying the 2FA code. The original condition err != nil && ok was incorrect because the Verify2Fa function would never return both an error and a success status (ok=true) at the same time. This effectively rendered the 2FA check useless, as the block of code that would reject an invalid code was unreachable. The fix, changing the condition to err != nil || !ok, correctly handles both error scenarios and unsuccessful verification, thus patching the 2FA bypass vulnerability. Therefore, the Login function is the direct site of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Lo*i* *rror in *** v*ri*i**tion *on*ition *llows *yp*ss o* two-***tor *ut**nti**tion ### **t*ils *ttps://*it*u*.*om/kom*ri-monitor/kom*ri/*lo*/****************************************/*pi/lo*in.*o#L** T**r* is no w*y *or `V*ri*y***` t

Reasoning

T** *n*lysis o* t** provi*** *ommit `****************************************` *l**rly in*i**t*s * lo*i**l *l*w in t** `Lo*in` *un*tion wit*in t** `*pi/lo*in.*o` *il*. T** p*t** *ir**tly mo*i*i*s t** *on*ition*l st*t*m*nt r*sponsi*l* *or v*ri*yin* t*