CVE-2025-0672 | THREATINT

Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

PUBLISHED Reserved 2025-01-23 | Published 2025-09-23 | Updated 2025-09-25 | Assigner WSO2

LOW: 3.3CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Product status

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.338

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.345

affected

5.11.0 (custom) before 5.11.0.394

affected

Default status

unaffected

2.0.0 (custom) before 2.0.0.389

affected

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-3134/ vendor-advisory

cve.org (CVE-2025-0672)

nvd.nist.gov (CVE-2025-0672)

Download JSON