Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.
This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
AnalysisAI
Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.
Technical ContextAI
This vulnerability stems from inadequate resource management (CWE-400: Uncontrolled Resource Consumption) in WSO2's Magic Link passwordless authentication implementation. Magic Link authenticators generate time-limited authentication URLs sent via email or SMS, but the affected code fails to implement proper rate limiting or memory bounds when processing invalid authentication requests. Each invalid request allocates memory without cleanup, causing linear memory growth until the JVM heap is exhausted or the authentication service becomes unresponsive. The issue specifically affects the WSO2 Carbon MagicLink Authenticator Module integrated into WSO2 Identity Server deployments, impacting the authentication subsystem rather than the entire identity platform.
RemediationAI
Apply vendor-supplied patches documented in WSO2 Security Advisory WSO2-2025-4469 available at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/, which includes specific patch versions for affected Identity Server releases and Carbon MagicLink Authenticator Module versions. If immediate patching is not feasible, implement compensating controls: deploy rate limiting at the reverse proxy or web application firewall layer targeting Magic Link authentication endpoints (typically /commonauth or /authenticationendpoint paths), limiting requests to 10-20 per minute per source IP; configure JVM memory monitoring with automated service restart on heap threshold (80-90% utilization) to maintain availability during attacks, though this allows continued service disruption; temporarily disable Magic Link authenticator and revert to password-based or SAML/OIDC federation authentication, which eliminates attack surface but removes passwordless login convenience for end users. Each mitigation trades off protection for operational complexity or user experience degradation, with patching remaining the only complete remediation without functional compromise.
More in Wso2 Identity Server
View allThe XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic
WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209760
GHSA-3xrw-97cx-wwgf