View online: https://www.drupal.org/sa-contrib-2025-096
Project: Authenticator Login [1] Date: 2025-August-13 Security risk: *Highly critical* 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:All [2] Vulnerability: Access bypass
Affected versions: <2.1.4 CVE IDs: CVE-2025-8995 Description: This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.
The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.
This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).
Solution: Install the latest version:
* If you use the alogin module for Drupal 10^, upgrade to the latest version or at least Alogin 2.1.5 [3]
/Note: the fix is in a tag in git for 2.1.4 however there is no release for that tag. The fix is also in 2.1.5 relase./
Reported By: * Pierre Rudloff (prudloff) [4]
Fixed By: * Ahmed Raza (ahmed.raza) [5]
Coordinated By: * Damien McKenna (damienmckenna) [6] of the Drupal Security Team * Dan Smith (galooph) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Cathy Theys (yesct) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/alogin [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/alogin/releases/2.1.5 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/ahmedraza [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/galooph [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/yesct