Authentication Bypass Vulnerability in Cal.com Scheduling Software

CVE-2025-66489

What is CVE-2025-66489?

CVE-2025-66489 is a vulnerability found in Cal.com, which is open-source scheduling software designed to facilitate appointment management and efficient scheduling for various users and organizations. This specific vulnerability pertains to the authentication mechanism of the software, where a weakness in the conditional logic of the login credentials provider allows an attacker to bypass password verification when a Time-based One-Time Password (TOTP) code is provided. Consequently, this flaw can potentially enable unauthorized individuals to gain access to user accounts without proper authentication. The implications of exploiting this vulnerability could be severe, leading to unauthorized control over user accounts, exposure of sensitive information, and disruption of service for legitimate users. The issue was resolved in version 5.9.8 of the software, emphasizing the necessity of timely updates to safeguard security.

Potential impact of CVE-2025-66489

1. Unauthorized Access: Exploiting this vulnerability could allow attackers to gain unauthorized access to user accounts, compromising sensitive data and potentially leading to further exploitation of system resources.

2. Data Breaches: With unauthorized access, attackers could access personal or confidential data, resulting in significant data breaches that could harm users and organizations, and expose them to legal liabilities.

3. Service Disruption: Unauthorized control over user accounts may result in service disruptions, affecting the scheduling functionalities crucial for organizations, which could lead to loss of productivity and trust from users.

News Articles

Cyber Press

CVE-2025-66489

Critical cal.com Flaw Allows Attackers to Bypass Login Using Fake TOTP Codes

Tracked as CVE-2025-66489 with a critical CVSS v4 score of 9.3, this vulnerability affects all versions of Cal.com up to and including 5.9.7.

3 days ago

References