CVE-2025-42615— Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42615
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup
Source: NVD (National Vulnerability Database)
Vulnerability Description
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
过多认证尝试的限制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vulnerability-Lookup 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vulnerability-Lookup是Vulnerability-Lookup开源的一个管理披露漏洞的平台。 Vulnerability-Lookup 2.18.0之前版本存在安全漏洞,该漏洞源于未限制一次性密码失败尝试,可能导致暴力破解攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup | 0 ~ 2.18.0 | - |
II. Public POCs for CVE-2025-42615
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42615
请登录查看更多情报信息。
- https://vulnerability.circl.lu/vuln/gcve-1-2025-0033vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-42615
Same Patch Batch · CIRCL · 2025-12-08 · 3 CVEs total
| CVE-2025-42620 | CSRF vulnerability in CIRCL Vulnerability-Lookup | |
| CVE-2025-42616 | CSRF vulnerability in CIRCL Vulnerability-Lookup |
IV. Related Vulnerabilities
Same weakness: CWE-307
- CVE-2026-41893
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiti - CVE-2025-2514
Improper Restriction of Excessive Authentication Attempts vu - CVE-2023-54347
OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass - CVE-2026-7671
CodeWise Tornet Scooter Mobile App TwoFactor excessive authe - CVE-2026-26206
Wazuh: API brute-force protection bypass via race condition
V. Comments for CVE-2025-42615
No comments yet