CVE-2025-10470

Published May 11, 2026

Last updated 3 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-10470 describes a vulnerability found in the Magic Link authentication flow of WSO2 Identity Server and Carbon MagicLink Authenticator Module. The issue stems from the system's acceptance of multiple invalid authentication requests without adequate rate limiting or resource control. This lack of control can lead to uncontrolled memory usage growth. The vulnerability can result in a denial-of-service condition, making the service unavailable for deployments that utilize the Magic Link authenticator. Exploitation requires repeated invalid authentication attempts to trigger the condition.

Description: The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger.
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.6
Impact score: 4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Severity: HIGH

Weaknesses

ed10eef1-636d-4fbe-9993-6890dfa878f8: CWE-400

Hype score: Not currently trending

References