CVE-2025-0672

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description An authentication bypass can occur in WSO2 products when FIDO authentication is enabled. Deletion of a user account does not automatically remove associated FIDO registration data. If a new user account is created with the same username, the system may associate it with the previously registered FIDO device. This could allow a previously deleted user to authenticate using their FIDO credentials and impersonate the new user, leading to unauthorized access. The issue only affects deployments using FIDO-based authentication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.