CVE-2025-64102 Overview
CVE-2025-64102 is a high-severity authentication vulnerability affecting Zitadel, an open-source identity infrastructure software. The vulnerability allows attackers to perform online brute-force attacks against OTP, TOTP, and password authentication mechanisms due to improper restriction of excessive authentication attempts.
While Zitadel does include a lockout mechanism designed to prevent brute-force attacks, this protection is not enabled by default. Furthermore, even when enabled, the mitigation strategies were not fully implemented in the more recent resource-based APIs, leaving authentication endpoints vulnerable to credential guessing attacks.
Critical Impact
Attackers can systematically attempt authentication bypasses against OTP, TOTP, and password-protected accounts, potentially leading to unauthorized account access and identity compromise across the entire Zitadel deployment.
Affected Products
- Zitadel versions prior to 4.6.0
- Zitadel versions prior to 3.4.3
- Zitadel versions prior to 2.71.18
Discovery Timeline
- 2025-10-29 - CVE-2025-64102 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-64102
Vulnerability Analysis
This vulnerability is classified as CWE-307: Improper Restriction of Excessive Authentication Attempts. The core issue lies in Zitadel's authentication handling, where the rate-limiting and lockout mechanisms designed to thwart brute-force attacks are not active by default.
When organizations deploy Zitadel without explicitly configuring lockout policies, authentication endpoints remain unprotected against repeated login attempts. This creates a significant window for attackers to systematically guess credentials, particularly for accounts using weaker passwords or predictable OTP patterns.
The vulnerability is exacerbated by incomplete implementation across Zitadel's API surface. While older API endpoints may have some protections available (when manually enabled), the newer resource-based APIs lack full implementation of these countermeasures, creating inconsistent security postures across different authentication flows.
Root Cause
The root cause stems from two architectural decisions: (1) security-critical lockout mechanisms being opt-in rather than enabled by default, and (2) incomplete implementation of brute-force protections in the resource-based API layer. This allows the authentication subsystem to process unlimited authentication attempts without triggering protective measures, even when attackers make rapid successive failed login attempts against target accounts.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker with knowledge of valid usernames can target Zitadel authentication endpoints, systematically attempting password or OTP combinations. The attack methodology typically involves:
Attackers enumerate valid user accounts through various reconnaissance techniques. Once valid usernames are identified, automated tools submit authentication requests at high velocity, testing common passwords, credential stuffing lists, or brute-forcing OTP codes. Without rate limiting or account lockout, the authentication system continues processing each request, eventually allowing attackers to discover valid credentials. For more technical details, see the GitHub Security Advisory GHSA-xrw9-r35x-x878.
Detection Methods for CVE-2025-64102
Indicators of Compromise
- High volume of failed authentication attempts from single IP addresses or against specific user accounts
- Unusual patterns of OTP or TOTP validation failures in authentication logs
- Authentication attempts occurring at abnormally high frequencies (multiple requests per second)
- Successful logins following numerous failed attempts from the same source
Detection Strategies
- Implement log monitoring for authentication endpoints to detect anomalous failure rates
- Configure alerting thresholds for failed login attempts exceeding normal baselines
- Monitor for distributed brute-force patterns where multiple IPs target the same account
- Analyze authentication timing patterns to identify automated attack tools
Monitoring Recommendations
- Enable comprehensive audit logging for all Zitadel authentication events
- Integrate Zitadel logs with SIEM solutions for correlation and anomaly detection
- Establish baseline metrics for normal authentication failure rates per user and per source IP
- Configure real-time alerts for brute-force attack indicators
How to Mitigate CVE-2025-64102
Immediate Actions Required
- Upgrade Zitadel to version 4.6.0, 3.4.3, or 2.71.18 depending on your deployment branch
- Enable the built-in lockout mechanism to protect against brute-force attacks
- Review and harden authentication policies across all API endpoints
- Audit recent authentication logs for signs of exploitation attempts
Patch Information
Zitadel has released patched versions that address this vulnerability. The fix is available in versions 4.6.0, 3.4.3, and 2.71.18. The security patch ensures that brute-force protections are consistently applied across all API endpoints, including the resource-based APIs. For implementation details, refer to the GitHub commit b8db8cdf9cc8ea13f461758aef12457f8b7d972a.
Workarounds
- Enable the lockout mechanism in Zitadel configuration if upgrading immediately is not possible
- Implement external rate limiting at the network or application gateway level
- Deploy Web Application Firewall (WAF) rules to throttle authentication requests
- Consider adding CAPTCHA or additional verification for repeated failed authentication attempts
# Example: Configure external rate limiting using nginx as a reverse proxy
# Add to nginx configuration to limit authentication endpoint requests
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/s;
location /oauth/v2/ {
limit_req zone=auth_limit burst=10 nodelay;
proxy_pass http://zitadel_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
