Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/authelia/authelia/v4
  4. ›
  5. CVE-2025-24806

CVE-2025-24806: Authelia applies regulation separately to Username-based logins to Email-based logins

February 19, 2025

If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It’s important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it’s effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force.

References

  • github.com/advisories/GHSA-m5mf-3963-4x26
  • github.com/authelia/authelia
  • github.com/authelia/authelia/commit/d4a54189aa6563912f9427b96dcb01eacafa785c
  • github.com/authelia/authelia/security/advisories/GHSA-m5mf-3963-4x26
  • nvd.nist.gov/vuln/detail/CVE-2025-24806

Code Behaviors & Features

Detect and mitigate CVE-2025-24806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 4.38.19

Fixed versions

  • 4.38.19

Solution

Upgrade to version 4.38.19 or above.

Weakness

  • CWE-307: Improper Restriction of Excessive Authentication Attempts

Source file

go/github.com/authelia/authelia/v4/CVE-2025-24806.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:54 +0000.