Cybersecurity Vulnerabilities

CVE-2025-64754: Jitsi Meet OAuth Hijacking Vulnerability – Update Immediately!

November 14, 2025 - By 

Overview

A critical security vulnerability, identified as CVE-2025-64754, has been discovered in Jitsi Meet, a popular open-source video conferencing application. This vulnerability allows attackers to potentially hijack the OAuth authentication window for Microsoft accounts, potentially granting them unauthorized access. The vulnerability affects Jitsi Meet versions prior to 2.0.10532. A patch is available in version 2.0.10532.

Technical Details

The vulnerability stems from improper handling of the OAuth authentication process for Microsoft accounts within Jitsi Meet. An attacker could potentially intercept and manipulate the OAuth flow, redirecting the user to a malicious page that mimics the legitimate Microsoft login. This could allow the attacker to steal the user’s credentials or OAuth tokens.

The exact mechanism of the hijacking is not publicly disclosed for security reasons, but it is related to how Jitsi Meet handles redirects and window contexts during the OAuth authentication process.

CVSS Analysis

As per the information available, the CVSS score for CVE-2025-64754 is currently listed as N/A. However, given the potential for account compromise and the ease with which such an attack could be launched (depending on the specific implementation details), it should be considered a high-severity vulnerability. A thorough risk assessment should be performed by organizations using affected versions of Jitsi Meet.

Possible Impact

Successful exploitation of this vulnerability could lead to several serious consequences:

  • Account Compromise: Attackers could gain access to users’ Microsoft accounts.
  • Data Breach: If the compromised account has access to sensitive data, this data could be exposed.
  • Lateral Movement: An attacker could use a compromised account to gain access to other systems or services within an organization.
  • Reputation Damage: A successful attack could damage the reputation of organizations using vulnerable versions of Jitsi Meet.

Mitigation and Patch Steps

The most effective mitigation is to upgrade your Jitsi Meet installation to version 2.0.10532 or later. This version contains the necessary fix to address the OAuth hijacking vulnerability.

  1. Update Jitsi Meet: Follow the official Jitsi Meet upgrade instructions for your specific deployment environment.
  2. Verify the Update: After the update, verify that you are running version 2.0.10532 or later.
  3. Monitor for Suspicious Activity: Keep an eye out for any unusual login attempts or account activity.

There are no known workarounds available, so updating is the only recommended solution.

References

Jitsi Meet Security Advisory (GitHub)

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *