handlers package, versions <4.38.19

Q: How to fix?

Upgrade github.com/authelia/authelia/internal/handlers to version 4.38.19 or higher.

Threat Intelligence

Not Defined

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Brute Force vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-GOLANG-GITHUBCOMAUTHELIAAUTHELIAINTERNALHANDLERS-8738855
published20 Feb 2025
disclosed19 Feb 2025
credittsschaffert, Robert Deppe, caesarakalaeii

Report a new vulnerability Found a mistake?

Introduced: 19 Feb 2025

NewCVE-2025-24806 (opens in a new tab) CWE-307 (opens in a new tab)

How to fix?

Upgrade github.com/authelia/authelia/internal/handlers to version 4.38.19 or higher.

Overview

Affected versions of this package are vulnerable to Brute Force due to the excessive login attempt mitigation in place in FirstFactorPOST() allowing two different authentication methods to be used by the same requester, thereby effectively doubling the attempt lmiit. An attacker can increase the chances of successful brute force by using both the username and email login methods.

Workaround

This vulnerability can be negated by disabling one of the two authentication methods.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None