CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred.

CVSS v3 6.0 MEDIUM

6.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://workos.com/security/advisories
https://www.authkit.com

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) WorkOS Hosted AuthKit anterior al 7 de enero de 2025 permite omitir la autenticación de contraseñas mediante MFA (mediante el registro de un nuevo factor de autenticación) cuando el atacante conoce la contraseña del usuario. No se produjo ninguna explotación.

24 Feb 2025, 16:15

Type	Values Removed	Values Added
References		() https://www.authkit.com -

24 Feb 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-24 15:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-23017

Mitre link : CVE-2025-23017

CVE.ORG link : CVE-2025-23017

JSON object : View

Products Affected

No product.

CWE

CWE-305

Authentication Bypass by Primary Weakness

6.0 /10