CVE-2025-66489

Published Dec 3, 2025

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-66489 is an authentication bypass vulnerability affecting Cal.com, an open-source scheduling software. The vulnerability exists in versions prior to 5.9.8. It stems from a flaw in the login credentials provider that allows attackers to bypass password verification when a Time-based One-Time Password (TOTP) code is provided. This is due to problematic conditional logic in the authentication flow within the authorize() function. The vulnerability can be exploited in two scenarios. In the first, attackers can bypass both password and TOTP verification by submitting any non-empty value in the totpCode field along with the victim's email address. In the second scenario, users with 2FA enabled are also affected, as the system ignores the password even when validating the TOTP code. Cal.com version 5.9.8 addresses this vulnerability.

Description: Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 4.0

Type: Secondary
Base score: 9.9
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-303

Hype score: Not currently trending

References