Brute Force Attack Vulnerability in Authelia Authentication Server
CVE-2025-24806

2.3LOW

Key Information:

Vendor: Authelia
Status: Authelia
Vendor: CVE Published:; 19 February 2025

What is CVE-2025-24806?

The Authelia authentication and authorization server presents a vulnerability due to its handling of login events when both username and email are permitted for sign-in. Each method is treated as distinct, resulting in doubled regulation limits that attackers can exploit to attempt brute-force logins. The lack of clear user-facing notifications regarding regulation bans further complicates the identification of failed login attempts. This situation can be exacerbated in environments lacking two-factor authentication and utilizing weak passwords. Affected users are encouraged to upgrade to the latest versions, and those unable to do so should maintain default regulation settings to mitigate exploitation risks.

Affected Version(s)

authelia < 4.38.19

References

https://github.com/authelia/authelia/security/advisories/...

x_refsource_CONFIRM

https://github.com/authelia/authelia/commit/d4a54189aa656...

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Jan 23, 2025

CVE-2025-24806 Data

JSON