CVE-2024-45042

CVE-2024-45042 is a medium-severity improper authentication vulnerability in github.com/ory/kratos (go), affecting versions <= 1.2.0. It is fixed in 1.3.0.

Summary

Preconditions

  • The code login method is enabled with the passwordless_enabled flag set to true .
  • A 2FA method such as totp is enabled.
  • required_aal of the whomai check or the settings flow is set to highest_available. AAL stands for Authenticator Assurance Levels and can range from 0 (no factor) to 2 (two factors).
  • A user uses the code method as the only login method available. They do not have a password or any other first factor credential enabled.
  • The user has 2FA enabled.
  • The user’s available_aal is incorrectly stored in the database as aal1 or aal0 or NULL.
  • A user signs in using the code method, but does not complete the 2FA challenge.

Example server configuration

Below you will find an vulnerable example configuration. Keep in mind that, for the account to be vulnerable, the account must have no first factor except the code method enabled plus a second factor.

selfservice:
  methods:
    code:
      # The `code` login method is enabled with the `passwordless_enabled` flag set to `true`
      passwordless_enabled: true
    totp:
      # 2FA method such as `totp` is enabled
      enabled: true
  flows:
    settings:
      # This is set
      required_aal: highest_available
session:
  whoami:
    # Or this
    required_aal: highest_available

Workarounds

If you require 2FA please disable the passwordless code login method. If that is not possible, check the sessions aal to identify if the user has aal1 or aal2.

Impact

Given the preconditions, the highest_available setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that the highest_available configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a aal2 session, even though that should be disallowed.

An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect available_aal value stored, to exploit this vulnerability.

All other aspects of the session (e.g. the session’s aal) are not impacted by this issue.

On Ory Network, only 0,00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack.

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2024-45042 has a CVSS score of 4.4 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.0); upgrading removes the vulnerable code path.

Affected versions

github.com/ory/kratos (<= 1.2.0)

Security releases

github.com/ory/kratos → 1.3.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Version 1.3.0 is not affected by this issue.

Frequently Asked Questions

  1. What is CVE-2024-45042? CVE-2024-45042 is a medium-severity improper authentication vulnerability in github.com/ory/kratos (go), affecting versions <= 1.2.0. It is fixed in 1.3.0. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2024-45042? CVE-2024-45042 has a CVSS score of 4.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/ory/kratos are affected by CVE-2024-45042? github.com/ory/kratos (go) versions <= 1.2.0 is affected.
  4. Is there a fix for CVE-2024-45042? Yes. CVE-2024-45042 is fixed in 1.3.0. Upgrade to this version or later.
  5. Is CVE-2024-45042 exploitable, and should I be worried? Whether CVE-2024-45042 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-45042 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-45042? Upgrade github.com/ory/kratos to 1.3.0 or later.

Other vulnerabilities in github.com/ory/kratos

CVE-2024-45042

Stop the waste.
Protect your environment with Kodem.