news 
Yubico Issues Security Advisory as 2FA Bypass Vulnerability Confirmed
In a recent security advisory, Yubico has announced the discovery of a high-severity vulnerability (CVE-2025-23013) in its open-source pam-u2f software package. This vulnerability allows for a bypass of two-factor authentication (2FA) scenarios under certain conditions.
According to Yubico, this issue does not impact any hardware products, including YubiKey and YubiHSM devices. The vulnerability is specifically related to the management of an authfile in specific use cases.
Yubico has recommended that affected customers upgrade to the latest version of pam-u2f by either directly downloading it from GitHub or obtaining the update via Yubico’s PPA (Personal Package Archive).
The issue arises when memory cannot be allocated or the module cannot change privileges, causing the second or primary authentication factor not to be verified. This vulnerability can occur in certain scenarios where a user-managed authfile is stored in the user home directory and pam-u2f is used as a single-factor authentication method with the “nouserok” option enabled.
In another scenario, if a centrally managed authfile is used, an attacker could attempt to memory-starve the system by allocating large amounts of memory, triggering a memory allocation error within pam-u2f. This would prevent the second factor from being verified during an authentication event.
Yubico emphasizes that no YubiKey or YubiHSM hardware devices are affected by this vulnerability and recommends that customers upgrade to the latest version of pam-u2f to mitigate this issue.
Source: www.forbes.com
