Vulnerability Description
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Two-Factor Webauthn | >= 1.0.0, < 1.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mPatchVendor Advisory
- https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e2155Patch
- https://github.com/nextcloud/twofactor_webauthn/pull/881Issue TrackingPatch
- https://hackerone.com/reports/3360354Permissions RequiredVendor Advisory
FAQ
What is CVE-2025-66558?
CVE-2025-66558 is a vulnerability with a CVSS score of 3.1 (LOW). Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly ...
How severe is CVE-2025-66558?
CVE-2025-66558 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66558?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Two-Factor Webauthn.