External risk intelligence

WSO2 Identity Server can be taken offline by attackers sending too many bad login attempts.

CVE advisorySeverity: HIGH (CVSS 8.6)

CVE-2025-10470

WSO2 Identity Server can be taken offline by attackers sending too many bad login attempts. This vulnerability directly impacts service availability for users, especially for those relying on the Magic Link authentication method.

5Halo Surface Signal

Wso2 Identity Server

7.0.0 to before 7.0.0.121

External exposure likelihood

Halo Surface Signal score for CVE-2025-10470

The vulnerability exists in a Magic Link authentication flow, which is a public-facing identity and authentication mechanism. Such services are designed to be reachable over the internet to allow users to authenticate from any location, making the vulnerable endpoint inherently internet-facing by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in WSO2 Identity Server's Magic Link authentication could allow an attacker to cause a denial-of-service by repeatedly sending invalid requests, exhausting system memory and making the service unavailable. Teams should pay attention because this directly impacts service availability for users attempting to authenticate.

  • Service unavailability for users.
  • Requires repeated invalid requests.
  • Affects Magic Link authentication.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by repeatedly sending invalid authentication requests to the Magic Link flow. This exhaustion of memory resources will prevent legitimate users from authenticating, effectively denying service.

  • Target public-facing authentication endpoint.
  • No prior user account needed.
  • Repeated invalid requests required.

Live Threat

Current exploitation, exposure, and threat context

This denial-of-service vulnerability allows for uncontrolled memory growth through repeated invalid authentication attempts on the Magic Link flow. Attackers may target this to disrupt services relying on this specific authentication method, though it requires sustained effort to trigger. The current threat picture for this specific CVE remains unobserved.

  • Denial-of-service impact
  • Limited to Magic Link flow
  • No observed exploitation signals

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate mitigation for WSO2 Identity Server deployments using the Magic Link authenticator, as this vulnerability can lead to denial-of-service due to uncontrolled memory growth from repeated invalid authentication attempts. Focus on identifying and isolating affected instances to prevent service unavailability and analyze logs for signs of exploitation, particularly any unusual spikes in authentication failures.

  • Apply WSO2 Identity Server version 7.0.0.121.
  • Implement stricter rate limiting for Magic Link authentication.
  • Monitor authentication logs for abnormal request volumes.

Frequently asked questions

What is WSO2 Identity Server and its function?

WSO2 Identity Server is a product for managing digital identities and access, offering features like authentication, authorization, and identity federation to help secure applications and services.

How does CVE-2025-10470 impact WSO2 Identity Server?

CVE-2025-10470 is a CWE-400 weakness (uncontrolled resource consumption). In WSO2 Identity Server's Magic Link authentication, this allows numerous incorrect login attempts to exhaust memory, causing the service to become unavailable.

What is the attack path for CVE-2025-10470?

An attacker can exploit this by sending many invalid authentication requests to the Magic Link flow. This targets a public-facing endpoint without needing prior account access, leading to denial-of-service.

What is the relevance of CVE-2025-10470?

This denial-of-service vulnerability, affecting the Magic Link authentication flow, could be exploited to disrupt services. While exploitation signals are not observed, the public-facing nature of the authentication mechanism makes it a potential target.

What are the recommended actions for CVE-2025-10470?

To mitigate, apply WSO2 Identity Server version 7.0.0.121. Consider implementing stricter rate limiting for Magic Link authentication and monitor logs for unusual authentication request volumes to prevent service unavailability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified