Two-Factor Authentication Bypass in Nextcloud's WebAuthn Provider
CVE-2025-66558

3.1LOW

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66558?

The Nextcloud Twofactor WebAuthn component is exposed to a vulnerability due to a missing ownership check. Attackers can exploit this by correctly guessing a random string ranging from 80 to 128 characters, allowing them to take over a user's 2FA WebAuthn device. Users will face a prompt to register a new device upon their next login, potentially compromising their account security. This issue was addressed in versions 1.4.2 and 2.4.1, which correct the flawed ownership verification process.

Affected Version(s)

security-advisories < 1.4.2 < 1.4.2

security-advisories >= 2.0.0-beta.1, < 2.4.1 < 2.0.0-beta.1, 2.4.1

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/twofactor_webauthn/pull/881
x_refsource_MISC
https://github.com/nextcloud/twofactor_webauthn/commit/5d...
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66558 : Two-Factor Authentication Bypass in Nextcloud's WebAuthn Provider