CVE-2025-10470 Overview
CVE-2025-10470 is a resource exhaustion vulnerability [CWE-400] affecting the Magic Link authentication flow in WSO2 products. The flow accepts multiple invalid authentication requests without adequate rate limiting or resource control. Repeated invalid requests cause uncontrolled memory usage growth in the authentication service.
An unauthenticated attacker can trigger a denial-of-service condition over the network. The impact is limited to deployments that enable the Magic Link authenticator. Service unavailability persists until memory pressure is relieved or the service restarts.
Critical Impact
Unauthenticated attackers can exhaust server memory by submitting repeated invalid Magic Link authentication requests, causing denial of service for affected WSO2 deployments.
Affected Products
- WSO2 products with the Magic Link authenticator enabled (see WSO2 Security Advisory WSO2-2025-4469 for the version matrix)
Discovery Timeline
- 2026-05-11 - CVE-2025-10470 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-10470
Vulnerability Analysis
The Magic Link authenticator issues one-time authentication links to users for passwordless login. The flow processes inbound authentication requests and allocates server-side state for each attempt. The vulnerable implementation does not enforce rate limits or bound the resources allocated per request.
Each invalid authentication attempt increases memory consumption on the authentication node. Because the allocated state is not promptly reclaimed, repeated requests cause heap growth until the Java Virtual Machine exhausts available memory. The result is service degradation followed by complete unavailability of authentication services.
The vulnerability maps to [CWE-400] Uncontrolled Resource Consumption. Exploitation requires only network reachability to the Magic Link endpoint and no prior authentication or user interaction.
Root Cause
The authentication handler lacks two controls. First, it does not throttle the rate at which a single source or aggregate set of sources can submit Magic Link requests. Second, it does not cap memory allocated for in-flight or pending authentication contexts. The combination allows an attacker to scale memory pressure linearly with request volume.
Attack Vector
An attacker sends a high volume of invalid Magic Link authentication requests to the public authentication endpoint. Each request causes the server to allocate state without timely cleanup. Sustained traffic exhausts the heap and triggers garbage collection thrashing, then out-of-memory failures. The attack requires no credentials, no user interaction, and no privileged network position.
No verified public proof-of-concept code is available. Refer to the WSO2 Security Advisory WSO2-2025-4469 for vendor-supplied technical details.
Detection Methods for CVE-2025-10470
Indicators of Compromise
- Sustained spikes in requests to Magic Link authentication endpoints from a small number of source IPs or distributed botnets
- Elevated JVM heap usage and prolonged garbage collection pauses on identity server nodes
- Authentication service log entries showing repeated invalid Magic Link attempts for nonexistent or unrelated user identifiers
- Out-of-memory errors or service restarts on WSO2 Identity Server processes
Detection Strategies
- Baseline normal request rates to Magic Link endpoints and alert on deviations exceeding two standard deviations
- Correlate authentication failure volume with JVM memory metrics from the identity server
- Monitor for repeated invalid authentication attempts against the same or enumerated user identifiers from common sources
- Inspect web server and load balancer logs for bursts of POST requests to Magic Link initiation URLs
Monitoring Recommendations
- Forward WSO2 Identity Server audit logs and JVM metrics to a centralized SIEM for correlation
- Track heap utilization, full garbage collection frequency, and thread counts as leading indicators of resource exhaustion
- Configure alerts for HTTP 5xx responses from authentication endpoints, which often precede full service failure
How to Mitigate CVE-2025-10470
Immediate Actions Required
- Apply the patched WSO2 product versions listed in WSO2 Security Advisory WSO2-2025-4469
- Disable the Magic Link authenticator in deployments that do not require it until patches are applied
- Place a rate-limiting reverse proxy or web application firewall in front of the authentication endpoints
- Restrict network exposure of authentication endpoints to expected client ranges where feasible
Patch Information
WSO2 has issued fixed versions through the security advisory WSO2-2025-4469. Administrators should consult the advisory for the exact patched releases and WUM updates that correspond to their product and deployment topology. Apply updates in non-production environments first and validate authentication flows before promoting to production.
Workarounds
- Enforce per-source-IP and per-user request rate limits on Magic Link endpoints at the network or proxy layer
- Reduce JVM heap pressure by tuning session and authentication context timeouts to release resources more aggressively
- Temporarily disable Magic Link authentication and require an alternative authenticator until the patch is applied
- Deploy WAF rules that block clients submitting abnormal volumes of authentication initiation requests
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
