Login Sign Up

CVE-2025-66558

3.1 LOW
Authentication Bypass

📋 TL;DR

A vulnerability in Nextcloud's Twofactor WebAuthn plugin allows attackers to remove a user's WebAuthn 2FA device by correctly guessing a long random string. This forces the victim to re-register their device on next login, but does not allow authentication as the victim. All Nextcloud instances using vulnerable versions of the Twofactor WebAuthn plugin are affected.

💻 Affected Systems

Products:
  • Nextcloud Twofactor WebAuthn plugin
Versions: Versions prior to 1.4.2 and 2.4.1
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the Twofactor WebAuthn plugin enabled and in use.

📦 What is this software?

Two Factor Webauthn by Nextcloud

View all CVEs affecting Two Factor Webauthn →

Two Factor Webauthn by Nextcloud

View all CVEs affecting Two Factor Webauthn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker successfully guesses the random string and removes a user's WebAuthn 2FA device, forcing account lockout until the user can re-register their device, potentially causing service disruption.

🟠

Likely Case

Low probability of successful exploitation due to the need to guess an 80-128 character random string, but if successful, user experiences temporary 2FA disruption requiring device re-registration.

🟢

If Mitigated

With proper patching, no impact - the vulnerability is eliminated by the ownership check implementation.

🌐 Internet-Facing: LOW
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires correctly guessing an 80-128 character random string, making successful attacks extremely unlikely in practice.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2 or 2.4.1

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q

Restart Required: No

Instructions:

1. Update Nextcloud Twofactor WebAuthn plugin to version 1.4.2 or 2.4.1 via Nextcloud app store or manual installation. 2. No restart required - changes take effect immediately.

🔧 Temporary Workarounds

Disable WebAuthn 2FA

all

Temporarily disable the WebAuthn Two-Factor Provider until patched

occ twofactor:disable webauthn

🧯 If You Can't Patch

  • Monitor for suspicious 2FA device removal attempts in logs
  • Implement rate limiting on 2FA management endpoints

🔍 How to Verify

Check if Vulnerable:

Check the installed version of the twofactor_webauthn app in Nextcloud admin settings or via command: occ app:list | grep twofactor_webauthn

Check Version:

occ app:list | grep twofactor_webauthn

Verify Fix Applied:

Verify the twofactor_webauthn app version is 1.4.2 or higher (for v1 branch) or 2.4.1 or higher (for v2 branch)

📡 Detection & Monitoring

Log Indicators:

  • Unexpected 2FA device removal events
  • Failed 2FA registration attempts followed by device removal

Network Indicators:

  • Unusual patterns of requests to WebAuthn device management endpoints

SIEM Query:

source="nextcloud" AND (event="2fa_device_removed" OR event="webauthn_device_removed")

📊 Metadata

CVE ID: CVE-2025-66558
CVSS v3 Score: 3.1 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-639
EPSS Score: 0.02% exploit probability (4.2th percentile)
Published: December 5, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66558, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)