CVE-2025-66558

Nextcloud Twofactor WebAuthn app was updated based on public key

CVSS 3.1 LOWEPSS 0.2%CWE-639

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

05 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d https://github.com/nextcloud/twofactor_webauthn/pull/881 https://hackerone.com/reports/3360354