Skip to main content

WSO2 Identity Server EUVDEUVD-2025-209760

| CVE-2025-10470 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-11 WSO2 GHSA-3xrw-97cx-wwgf
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 11, 2026 - 12:01 EUVD
Analysis Generated
May 11, 2026 - 11:45 vuln.today
CVE Published
May 11, 2026 - 10:16 nvd
HIGH 8.6

DescriptionCVE.org

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.

This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.

AnalysisAI

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.

Technical ContextAI

This vulnerability stems from inadequate resource management (CWE-400: Uncontrolled Resource Consumption) in WSO2's Magic Link passwordless authentication implementation. Magic Link authenticators generate time-limited authentication URLs sent via email or SMS, but the affected code fails to implement proper rate limiting or memory bounds when processing invalid authentication requests. Each invalid request allocates memory without cleanup, causing linear memory growth until the JVM heap is exhausted or the authentication service becomes unresponsive. The issue specifically affects the WSO2 Carbon MagicLink Authenticator Module integrated into WSO2 Identity Server deployments, impacting the authentication subsystem rather than the entire identity platform.

RemediationAI

Apply vendor-supplied patches documented in WSO2 Security Advisory WSO2-2025-4469 available at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/, which includes specific patch versions for affected Identity Server releases and Carbon MagicLink Authenticator Module versions. If immediate patching is not feasible, implement compensating controls: deploy rate limiting at the reverse proxy or web application firewall layer targeting Magic Link authentication endpoints (typically /commonauth or /authenticationendpoint paths), limiting requests to 10-20 per minute per source IP; configure JVM memory monitoring with automated service restart on heap threshold (80-90% utilization) to maintain availability during attacks, though this allows continued service disruption; temporarily disable Magic Link authenticator and revert to password-based or SAML/OIDC federation authentication, which eliminates attack surface but removes passwordless login convenience for end users. Each mitigation trades off protection for operational complexity or user experience degradation, with patching remaining the only complete remediation without functional compromise.

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-10908 HIGH
7.3 May 11

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic

CVE-2025-9973 MEDIUM
6.4 May 11

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2025-10503 MEDIUM
6.1 Apr 29

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2025-12624 MEDIUM
6.0 Apr 16

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2024-0391 MEDIUM
5.3 May 11

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

Share

EUVD-2025-209760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy