Description

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

INFO

Published Date :

2025-12-05T18:00:49.792Z

Last Modified :

2025-12-05T18:35:53.477Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66558 vulnerability.

Vendors Products
Nextcloud
  • Two-factor Webauthn
  • Twofactor Webauthn
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66558.

URL Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q cve-icon cve-icon
https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d cve-icon cve-icon
https://github.com/nextcloud/twofactor_webauthn/pull/881 cve-icon cve-icon
https://hackerone.com/reports/3360354 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact