CVE-2025-66489
📋 TL;DR
This vulnerability in Cal.com scheduling software allows attackers to bypass password verification when providing a TOTP code, potentially gaining unauthorized access to user accounts. All users running Cal.com versions before 5.9.8 are affected. The issue stems from flawed conditional logic in the authentication flow.
💻 Affected Systems
- Cal.com
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to data theft, scheduling manipulation, and potential privilege escalation.
Likely Case
Unauthorized access to user accounts, allowing attackers to view sensitive scheduling information, modify appointments, and impersonate legitimate users.
If Mitigated
Limited impact if MFA is disabled or accounts have additional security controls, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires knowledge of a valid username and ability to provide a TOTP code, but no password is needed. The vulnerability is in the authentication logic itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.8
Vendor Advisory: https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98
Restart Required: Yes
Instructions:
1. Update Cal.com to version 5.9.8 or later. 2. For Docker deployments: pull latest image and restart containers. 3. For manual installations: git pull from repository and restart service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable TOTP-based MFA
allTemporarily disable TOTP multi-factor authentication to prevent exploitation of this bypass
Check Cal.com documentation for MFA disable procedure
🧯 If You Can't Patch
- Implement network-level access controls to restrict Cal.com access to trusted users only
- Monitor authentication logs for suspicious login attempts without password verification
🔍 How to Verify
Check if Vulnerable:
Check Cal.com version via admin interface or by examining package/container version. If version is below 5.9.8, system is vulnerable.Check Version:
For Docker: docker inspect calcom | grep version; For manual: check package.json or admin dashboardVerify Fix Applied:
After updating, verify version is 5.9.8 or higher and test authentication flow with TOTP codes to ensure password verification occurs.📡 Detection & Monitoring
Log Indicators:
- Successful logins without corresponding password verification events
- Multiple failed TOTP attempts followed by successful login
- Login events from unusual locations/times
Network Indicators:
- Authentication requests containing TOTP codes but missing password parameters
- Unusual authentication pattern sequences
SIEM Query:
source="calcom.logs" AND (event="login_success" AND NOT password_verified="true")