One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

Project:

One Time Password

Date:

2025-May-14

Security risk:

Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<1.3.0

CVE IDs:

CVE-2025-48010

Description:

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

Solution:

Install the latest version:

If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By:

Conrad Lara (cmlara)

Fixed By:

danielveza
Kim Pepper (kim.pepper)
Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community