CVE-2025-66558 Overview
CVE-2025-66558 affects Nextcloud Twofactor WebAuthn, the WebAuthn Two-Factor Provider for Nextcloud. Prior to versions 1.4.2 and 2.4.1, the extension failed to verify device ownership before allowing modification actions. An attacker who correctly guesses a victim's 80-128 character random credential identifier can take away that user's registered WebAuthn 2FA device. The victim is then prompted to register a new device on their next login. The attacker cannot authenticate as the victim, limiting the impact to disruption of the second authentication factor. The issue is tracked as an Insecure Direct Object Reference weakness [CWE-639] and is fixed in versions 1.4.2 and 2.4.1.
Critical Impact
A missing ownership check allows a remote unauthenticated attacker to remove another user's WebAuthn 2FA device by guessing a long random credential identifier, forcing the victim to re-enroll a device.
Affected Products
- Nextcloud Twofactor WebAuthn versions prior to 1.4.2 (stable 1.x branch)
- Nextcloud Twofactor WebAuthn versions prior to 2.4.1 (stable 2.x branch)
- Nextcloud instances relying on the WebAuthn provider for second-factor authentication
Discovery Timeline
- 2025-12-05 - CVE-2025-66558 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66558
Vulnerability Analysis
The Nextcloud Twofactor WebAuthn provider stores registered credentials in the database and exposes management endpoints for removing them. Before the patch, the code path that deleted a credential accepted a credential identifier without confirming that the credential belonged to the authenticated (or targeted) user. This is a classic Insecure Direct Object Reference issue [CWE-639]. Because credential identifiers are 80-128 character random strings of letters, numbers, and symbols, blind enumeration is not practical at scale. However, any leak of an identifier — through logs, backups, browser history, or side channels — enables an attacker to invalidate the associated device. Successful exploitation degrades the second factor rather than granting account access, since the attacker still cannot present valid WebAuthn assertions for the victim.
Root Cause
The root cause is a missing authorization check in the repository and mapper layers that operate on PublicKeyCredentialEntity records. The controller trusted the supplied credential identifier and did not scope the query by the current user's ID before performing the delete operation.
Attack Vector
The vulnerability is exploited over the network against an authenticated session context created by the attacker, and only requires the attacker to know or guess a target credential identifier. The impact is limited to integrity of the 2FA registration state — confidentiality and availability of user data are not directly affected.
// Patch: introduce user scoping into the credential source repository
// Source: https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d
/** @var ITimeFactory */
private $time;
private ?string $userId;
/**
* @param PublicKeyCredentialEntityMapper $publicKeyCredentialEntityMapper
*/
public function __construct(PublicKeyCredentialEntityMapper $publicKeyCredentialEntityMapper,
ITimeFactory $time,
?string $userId) {
$this->publicKeyCredentialEntityMapper = $publicKeyCredentialEntityMapper;
$this->time = $time;
$this->userId = $userId;
}
The patch adds a $userId property to WebauthnPublicKeyCredentialSourceRepository so that credential lookups and mutations can be constrained to the current user. A companion change in lib/Db/PublicKeyCredentialEntityMapper.php removes the unused OCP\IUser import as the mapper is refactored to accept the user identifier directly. Source: GitHub Commit 5d23021.
Detection Methods for CVE-2025-66558
Indicators of Compromise
- Unexpected removal of a user's registered WebAuthn credential without a corresponding user-initiated action in the Nextcloud audit log.
- Users being prompted to enroll a new WebAuthn device on next login despite not deleting the prior device.
- HTTP requests to the Twofactor WebAuthn management endpoints containing credential identifiers that were not issued in the current session.
Detection Strategies
- Review Nextcloud application logs for twofactor_webauthn credential deletion events and correlate the acting user with the owner of the deleted credential.
- Inspect webserver access logs for POST or DELETE requests to WebAuthn management routes originating from IP addresses or sessions that do not match the credential owner.
- Compare the installed extension version against fixed versions 1.4.2 and 2.4.1 across all Nextcloud deployments.
Monitoring Recommendations
- Alert on any WebAuthn device deletion followed by a new device registration for the same account within a short window.
- Track ratios of WebAuthn re-enrollment events per tenant to surface anomalous spikes.
- Forward Nextcloud audit logs to a centralized SIEM or data lake for retention and correlation with authentication telemetry.
How to Mitigate CVE-2025-66558
Immediate Actions Required
- Upgrade the twofactor_webauthn app to version 1.4.2 or 2.4.1 through the Nextcloud app store or occ app:update command.
- Audit recent WebAuthn credential deletion and re-enrollment events for the past several months and notify affected users.
- Require impacted users to re-register their WebAuthn devices from a trusted session and revalidate account recovery options.
Patch Information
The fix is delivered in Nextcloud Twofactor WebAuthn 1.4.2 and 2.4.1. Details are documented in the GitHub Security Advisory GHSA-fr8x-mvjg-wf9q, Pull Request #881, commit 5d23021, and HackerOne Report #3360354.
Workarounds
- If immediate patching is not possible, disable the twofactor_webauthn app and enforce an alternate second factor such as TOTP until upgrade.
- Restrict access to Nextcloud management endpoints via reverse proxy allowlists to reduce exposure to unauthenticated network attackers.
- Enable and monitor Nextcloud's admin audit logging so that unauthorized credential deletions are surfaced quickly.
# Upgrade the Nextcloud Twofactor WebAuthn app via occ
sudo -u www-data php occ app:update twofactor_webauthn
# Verify the installed version meets the fixed release
sudo -u www-data php occ app:list | grep -A1 twofactor_webauthn
# Temporary mitigation: disable the app until patching is complete
sudo -u www-data php occ app:disable twofactor_webauthn
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

