Overview
CVE-2025-66558 describes a vulnerability found in Nextcloud Twofactor WebAuthn, the WebAuthn Two-Factor Provider for Nextcloud. This flaw, present in versions prior to 1.4.2 and 2.4.1, allows a potential attacker to take over a user’s registered WebAuthn 2FA device by correctly guessing a sufficiently long random string (80-128 characters). While the attacker cannot directly authenticate as the victim, they can force the victim to re-register their WebAuthn device, potentially opening the door to other attack vectors down the line. The vulnerability is addressed in versions 1.4.2 and 2.4.1.
Technical Details
The vulnerability stems from a missing ownership check during the WebAuthn device registration process. Specifically, the application fails to properly verify that the user attempting to disassociate a WebAuthn device is the actual owner of that device. An attacker, by guessing the random string associated with the de-registration process, could trigger the removal of the legitimate user’s WebAuthn device. The victim would then be prompted to register a new device upon their next login. This doesn’t grant the attacker immediate access, but it removes a critical layer of security, potentially allowing for phishing or other attacks to compromise the account.
The issue was resolved by implementing a proper ownership check to ensure only the device owner can disassociate their WebAuthn device.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-66558 a score of 3.1 (Low). This low score reflects the limited direct impact of the vulnerability. The attack requires guessing a long, random string, making it practically difficult. Furthermore, a successful attack only removes the 2FA device, not the account password.
Possible Impact
While the CVSS score is low, the impact of this vulnerability should not be entirely dismissed. By removing the victim’s registered WebAuthn device, the attacker achieves the following:
- Reduced Security Posture: The victim’s account is temporarily downgraded to password-only protection, making it more vulnerable to password-based attacks like brute-forcing or credential stuffing.
- Phishing Opportunities: An attacker could leverage the forced re-registration of the WebAuthn device to present a fake registration page to the victim, potentially capturing their security key details.
- Denial of Service (Indirect): The victim might experience frustration and disruption of service due to the unexpected removal of their 2FA device.
Mitigation or Patch Steps
The primary mitigation step is to upgrade Nextcloud Twofactor WebAuthn to version 1.4.2 or 2.4.1, or later. These versions contain the necessary fix to properly validate device ownership. Here’s how to update:
- Log in to your Nextcloud instance as an administrator.
- Navigate to the “Apps” section.
- Search for “Twofactor WebAuthn”.
- If an update is available, click the “Update” button.
- Verify that the installed version is 1.4.2 or 2.4.1 or higher.
Even with the updated version, it’s essential to educate users about phishing attempts and encourage them to be cautious when re-registering their WebAuthn devices.
