CVE-2025-64102

CRITICAL

Zitadel < 2.71.18 - Brute Force

Title source: rule

Description

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

References (2)

[Vendor Advisory] https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878

[Patch] https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-307

Status published

Products (3)

zitadel/zitadel < 2.71.18

zitadel/zitadel 0 - 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8Go

zitadel/zitadel 0 - 2.71.18Go

Published Oct 29, 2025

Tracked Since Feb 18, 2026