CVE-2025-66558(nextcloud twofactor_webauthn / cvss 3.1)

A critical authentication bypass vulnerability exists in the Nextcloud TwoFactor WebAuthn app that allows attackers to overwrite other users' WebAuthn credentials. The PublicKeyCredentialEntityMapper::insertOrUpdate() method searches for existing credentials using only the public_key_credential_id without validating the user_handle, enabling cross-user credential hijacking.

Steps To Reproduce:

1. Setup victim account (Alice):
   • User "alice" registers a WebAuthn device
   • System stores credential with public_key_credential_id = "ABC123"
   • Alice can successfully authenticate using her WebAuthn device
2. Attacker exploitation:
   • Attacker obtains or guesses Alice's public_key_credential_id (e.g., "ABC123")
   • Attacker registers their own WebAuthn device using the same credential ID
   • The insertOrUpdate() method finds Alice's record (line 139-142 in PublicKeyCredentialEntityMapper.php)
   • System overwrites Alice's credential data with attacker's WebAuthn device
3. Attack completion:
   • Attacker can now login to Alice's account using Alice's username/password + attacker's WebAuthn device
   • Alice can no longer login with her legitimate WebAuthn device
   • No notification is sent to Alice about the credential change
   Vulnerable Code Location:
4. File: lib/Db/PublicKeyCredentialEntityMapper.php

• Lines 111-123: findPublicKeyCredential() - missing user_handle validation
• Lines 138-146: insertOrUpdate() - allows cross-user overwritesThe findPublicKeyCredential() method only searches by public_key_credential_id:$qb->select('*') ->from('twofactor_webauthn_regs') ->where($qb->expr()->eq('public_key_credential_id', $qb->createNamedParameter($publicKeyCredentialId))); // Missing: ->andWhere($qb->expr()->eq('user_handle', $user_handle))
• Root Cause:
• WebAuthn specification requires user verification for credential management
• Similar pattern in findById() correctly validates user_handle (lines 94-98)
• Call chain: WebauthnPublicKeyCredentialSourceRepository::saveCredentialSource() → insertOrUpdate()

Impact

Complete 2FA Bypass & Account Takeover

1. Authentication Bypass: Attacker gains full access to victim's account using victim's password + attacker's WebAuthn device
2. Credential Hijacking: Victim's legitimate WebAuthn device becomes unusable
3. Stealth Attack: No notifications sent to victim about credential changes
4. Persistent Access: Attacker maintains access until victim manually re-registers WebAuthn
5. Data Exposure: Full access to victim's files, emails, and sensitive data in Nextcloud
6. This vulnerability completely undermines the security purpose of WebAuthn 2FA and enables account takeover attacks against any user with WebAuthn enabled.