{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-10470","assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","state":"PUBLISHED","assignerShortName":"WSO2","dateReserved":"2025-09-15T08:51:01.163Z","datePublished":"2026-05-11T10:16:52.358Z","dateUpdated":"2026-05-11T12:38:39.383Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2","dateUpdated":"2026-05-11T10:16:52.358Z"},"title":"Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-400","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-132","descriptions":[{"lang":"en","value":"CAPEC-132 CAPEC-132: Denial of Service"}]}],"affected":[{"vendor":"WSO2","product":"WSO2 Identity Server","versions":[{"status":"affected","version":"7.0.0","lessThan":"7.0.0.121","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Carbon MagicLink Authenticator Module","packageName":"org.wso2.carbon.identity.local.auth.magiclink:org.wso2.carbon.identity.application.authenticator.magiclink","versions":[{"status":"affected","version":"1.1.22","lessThan":"1.1.22.3","versionType":"custom"},{"status":"unaffected","version":"1.1.31","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.0.121"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_magiclink_authenticator_module:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.22","versionEndExcluding":"1.1.22.3"},{"vulnerable":false,"criteria":"cpe:2.3:a:wso2:wso2_carbon_magiclink_authenticator_module:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.31","versionEndIncluding":"*"}]}]}],"descriptions":[{"lang":"en","value":"The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.\n\nThis vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.","supportingMedia":[{"type":"text/html","base64":false,"value":"The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.\n\nThis vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger."}]}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8.6,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}}],"solutions":[{"lang":"en","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/#solution","supportingMedia":[{"type":"text/html","base64":false,"value":"<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/#solution</span></a> <br>"}]}],"source":{"advisory":"WSO2-2025-4469","discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T12:38:30.354857Z","id":"CVE-2025-10470","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T12:38:39.383Z"}}]}}