CVE-2025-23017 in WorkOS Hosted AuthKit
Summary
by MITRE • 02/24/2025
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/31/2025
The vulnerability identified as CVE-2025-23017 affects WorkOS Hosted AuthKit versions prior to the 2025-01-07 release, presenting a significant security weakness that enables a multi-factor authentication bypass through a password-based attack vector. This flaw specifically allows an authenticated attacker who possesses a user's valid password to circumvent the multi-factor authentication protection mechanism by enrolling a new authentication factor. The vulnerability operates under the premise that the attacker can leverage their knowledge of the user's password to manipulate the authentication flow, effectively undermining the security controls designed to protect user accounts.
The technical implementation of this vulnerability stems from insufficient validation within the authentication factor enrollment process. When a user attempts to add a new authentication factor, the system should verify that the user has successfully authenticated through their primary factor before permitting the enrollment of additional factors. However, the flaw in WorkOS Hosted AuthKit allows the system to proceed with factor enrollment without proper verification of the user's identity through the primary authentication method. This represents a critical breakdown in the principle of least privilege and authentication verification, as the system fails to enforce proper session validation during the enrollment process. The vulnerability aligns with CWE-305 authentication bypass weakness and demonstrates a failure in the authentication factor management flow.
The operational impact of this vulnerability is substantial as it provides attackers with a pathway to compromise user accounts that would otherwise be protected by multi-factor authentication. An attacker who has obtained a user's password can exploit this vulnerability to enroll their own authentication factor, effectively gaining unauthorized access to the user's account. This bypass mechanism is particularly dangerous because it operates silently without requiring additional attack vectors or exploiting other system weaknesses. The vulnerability creates a persistent backdoor that remains active until the compromised account is manually secured through proper authentication factor management. This type of attack vector falls under the ATT&CK technique T1566.002 for credential access through phishing and social engineering, though in this case the attack is facilitated through legitimate authentication flows rather than social manipulation.
Security professionals should consider this vulnerability as a critical risk that requires immediate attention and remediation. The fact that no exploitation has occurred to date does not diminish the severity of the flaw, as the potential for abuse exists within the current system configuration. Organizations using WorkOS Hosted AuthKit should prioritize updating to the patched version released on 2025-01-07 and conduct thorough security assessments of their authentication workflows. Additional mitigations should include monitoring for unusual authentication factor enrollment patterns and implementing additional verification mechanisms for any new factor registration attempts. The vulnerability serves as a reminder of the importance of proper authentication factor management and the need for robust session validation throughout the authentication lifecycle. This issue demonstrates the critical importance of maintaining up-to-date security controls and the potential consequences of insufficient authentication verification in multi-factor authentication systems.