x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-xrw9-r35x-x878

Advisory [GHSA-xrw9-r35x-x878](https://github.com/advisories/GHSA-xrw9-r35x-x878) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/zitadel/zitadel](https://pkg.go.dev/github.com/zitadel/zitadel) |

Description:
### Summary

A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user.

### Impact

An attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs.

### Affected V...

References:
- ADVISORY: https://github.com/advisories/GHSA-xrw9-r35x-x878
- ADVISORY: https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64102
- FIX: https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a

Cross references:
- github.com/zitadel/zitadel appears in 23 other report(s):
  - data/excluded/GO-2022-0961.yaml    (https://github.com/golang/vulndb/issues/961)    NOT_IMPORTABLE
  - data/excluded/GO-2023-1489.yaml    (https://github.com/golang/vulndb/issues/1489)    NOT_IMPORTABLE
  - data/excluded/GO-2023-2107.yaml    (https://github.com/golang/vulndb/issues/2107)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-2155.yaml    (https://github.com/golang/vulndb/issues/2155)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-2187.yaml    (https://github.com/golang/vulndb/issues/2187)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-2368.yaml    (https://github.com/golang/vulndb/issues/2368)    NOT_IMPORTABLE
  - data/reports/GO-2024-2637.yaml    (https://github.com/golang/vulndb/issues/2637)
  - data/reports/GO-2024-2655.yaml    (https://github.com/golang/vulndb/issues/2655)
  - data/reports/GO-2024-2664.yaml    (https://github.com/golang/vulndb/issues/2664)
  - data/reports/GO-2024-2665.yaml    (https://github.com/golang/vulndb/issues/2665)
  - data/reports/GO-2024-2788.yaml    (https://github.com/golang/vulndb/issues/2788)
  - data/reports/GO-2024-2804.yaml    (https://github.com/golang/vulndb/issues/2804)
  - data/reports/GO-2024-2968.yaml    (https://github.com/golang/vulndb/issues/2968)
  - data/reports/GO-2024-3014.yaml    (https://github.com/golang/vulndb/issues/3014)
  - data/reports/GO-2024-3015.yaml    (https://github.com/golang/vulndb/issues/3015)
  - data/reports/GO-2024-3137.yaml    (https://github.com/golang/vulndb/issues/3137)
  - data/reports/GO-2024-3138.yaml    (https://github.com/golang/vulndb/issues/3138)
  - data/reports/GO-2024-3139.yaml    (https://github.com/golang/vulndb/issues/3139)
  - data/reports/GO-2024-3216.yaml    (https://github.com/golang/vulndb/issues/3216)
  - data/reports/GO-2024-3217.yaml    (https://github.com/golang/vulndb/issues/3217)
  - data/reports/GO-2025-3499.yaml    (https://github.com/golang/vulndb/issues/3499)
  - data/reports/GO-2025-3671.yaml    (https://github.com/golang/vulndb/issues/3671)
  - data/reports/GO-2025-3721.yaml    (https://github.com/golang/vulndb/issues/3721)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - fixed: 2.71.18
      vulnerable_at: 1.87.5
summary: Zitadel allows brute-forcing authentication factors in github.com/zitadel/zitadel
cves:
    - CVE-2025-64102
ghsas:
    - GHSA-xrw9-r35x-x878
references:
    - advisory: https://github.com/advisories/GHSA-xrw9-r35x-x878
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64102
    - fix: https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a
source:
    id: GHSA-xrw9-r35x-x878
    created: 2025-10-29T23:01:25.567051357Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-xrw9-r35x-x878 #4085

Summary

Impact

Affected V...

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-xrw9-r35x-x878 #4085

Description

Summary

Impact

Affected V...

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions