Summary
A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user.
Affected Versions
All versions within the following ranges, including release candidates (RCs), are affected:
- 4.x:
4.0.0to4.4.0(including RC versions) - 3.x:
3.0.0to3.4.2(including RC versions) - 2.x:
v2.0.0to2.71.17
Workarounds
The recommended solution is to update Zitadel to a patched version.
The problem might be mitigated by enabling the optional logout policy ("Password maximum attempts") or by implementing more strict rate limits.
Questions
If you have any questions or comments about this advisory, please email us at [email protected]
Credits
This vulnerability was found by zentrust partners GmbH during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann.
The full report will be made public after the complete review.
Impact
An attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability has been addressed in the latest releases. The patch resolves the issue by enforcing the lockout policy on all OTP, TOTP and password checks. Additionally a “tar pit” has been introduced to slow down brute-force attacks by default. Zitadel responses will be delayed by t seconds, where t increases over the number of failed attempts within a given timeframe.
4.x: Upgrade to >=4.6.0
3.x: Update to >=3.4.3
2.x: Update to >=2.71.18
Frequently Asked Questions
- What is CVE-2025-64102? CVE-2025-64102 is a high-severity security vulnerability in github.com/zitadel/zitadel/v2 (go), affecting versions < 2.71.18. It is fixed in 2.71.18, 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8.
- Which packages are affected by CVE-2025-64102?
github.com/zitadel/zitadel/v2(go) (versions < 2.71.18)github.com/zitadel/zitadel(go) (versions < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8)
- Is there a fix for CVE-2025-64102? Yes. CVE-2025-64102 is fixed in 2.71.18, 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8. Upgrade to this version or later.
- Is CVE-2025-64102 exploitable, and should I be worried? Whether CVE-2025-64102 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-64102 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-64102?
- Upgrade
github.com/zitadel/zitadel/v2to 2.71.18 or later - Upgrade
github.com/zitadel/zitadelto 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8 or later
- Upgrade