By rssfeeds-admin Allowing attackers to gain unauthorized access to user accounts by submitting fake TOTP codes.
According to GitHub, flaw tracked as CVE-2025-66489, this critical flaw affects versions up to 5.9.7 and has been patched in version 5.9.8.
Flawed Authentication Logic Exposes User Accounts
The vulnerability stems from problematic conditional logic in the authorize () function of cal.com’s credentials provider.
The authentication flow contains a critical error: password verification is skipped entirely when a TOTP code field contains any value.
Regardless of whether the code is valid or the user has two-factor authentication enabled. This flaw manifests in two dangerous scenarios.
For users without 2FA enabled, representing the majority of accounts, attackers can bypass both password and TOTP verification.
| Feature | Description |
|---|---|
| CVE ID | CVE-2025-66489 |
| Affected Product | cal.com (Open Source Scheduling Platform) |
| Vulnerability Type | CWE-303: Incorrect Implementation of Authentication Algorithm |
| Severity | Critical (10.0/10) |
| CVSS v4 Score | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N |
Simply by providing any non-empty value in the TOTP code field along with the victim’s email address.
Even with 2FA enabled, the vulnerability still allows attackers to bypass password verification.
Reducing multi-factor authentication (MFA) to a single-factor check and significantly weakening account security.
The flaw enables attackers to access sensitive user data, including calendars, meeting links, and personal information, without legitimate credentials.
A GitHub researcher discovered and reported the vulnerability, which is classified as CWE-303 (Incorrect Implementation of Authentication Algorithm).
The flawed code in packages/features/auth/lib/next-auth-options.ts fails to properly verify both passwords and TOTP codes, allowing an exploitable authentication bypass.
Cal.com users should immediately upgrade to version 5.9.8, which addresses the authentication flaw by enforcing proper verification of both authentication factors.
Companies using the affected versions are at high risk of hackers breaking into accounts, finding valid usernames, and pretending to be real users.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Cal.com Vulnerability Let Attackers Bypass Authentication Via Fake TOTP Codes appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.