Yubico has released a security advisory, YSA-2025-01, which highlighted a vulnerability within the software module that supports two-factor authentication (2FA) for Linux and macOS platforms. This issue, tracked as CVE-2025-23013, allows for a partial 2FA bypass protections when using YubiKeys or other FIDO-compatible authenticators. The vulnerability poses a high-risk security threat and could potentially compromise authentication processes for users relying on Yubico’s open-source pam-u2f software.
Yubico’s pam-u2f software package, a Pluggable Authentication Module (PAM) used to integrate YubiKey and other FIDO-compliant devices with Linux and macOS systems, contains a vulnerability that can lead to a 2FA bypass in some configurations. This flaw primarily affects systems running versions of pam-u2f prior to 1.3.1, where the authentication process does not correctly handle certain errors. In particular, when the system experiences issues such as memory allocation errors or the absence of necessary files, the pam-u2f module may fail to trigger proper authentication checks.
The 2FA Bypass Vulnerability
The 2FA bypass vulnerability arises in the pam_sm_authenticate() function, which is responsible for managing the authentication flow. When certain conditions occur—such as failure to allocate memory or privilege escalation issues—the function returns a response of PAM_IGNORE. This prevents the system from completing the authentication process correctly, bypassing 2FA in scenarios where it should be validated.
Additionally, if the nouserok option is enabled in the configuration, pam-u2f may return PAM_SUCCESS even when the authfile is missing or corrupted. This presents a critical risk, particularly in configurations where 2FA is set up as the primary or secondary authentication factor.
What Does This Mean for Users?
The vulnerability primarily affects users who have installed pam-u2f on Linux or macOS systems via methods like apt or manual installation. Specifically, users with versions of pam-u2f prior to 1.3.1 are vulnerable to this issue, which may lead to unauthorized access if the system’s 2FA protections are bypassed. However, no hardware used for 2FA, including any YubiKey devices, is affected by this vulnerability. The issue lies entirely within the software configuration, not the hardware security keys.
Yubico has recommended that all affected customers upgrade to the latest version of pam-u2f immediately to mitigate the vulnerability. Users can download the latest release directly from Yubico’s GitHub repository or update via Yubico’s Personal Package Archive (PPA).
How Are Different Configurations Impacted?
The severity of the vulnerability varies depending on the system configuration. For instance:
- Single Factor Authentication with User-Managed Authfile: In this scenario, where pam-u2f is used as a single factor and the authfile is located in the user’s home directory, an attacker could remove or corrupt the authfile. This would cause pam-u2f to return PAM_SUCCESS, allowing unauthorized access and potentially escalating privileges if the user has sudo access. This scenario has been assigned a CVSS score of 7.3, indicating a high severity.
- Two-Factor Authentication with Centrally Managed Authfile: If pam-u2f is used alongside a user’s password for two-factor authentication, the vulnerability may be triggered by a memory allocation error or a lack of necessary files. In this case, the second authentication factor may fail to verify, leaving the system open to attacks. This scenario carries a CVSS score of 7.1.
- Use of pam-u2f as a Single Authentication Factor with Other PAM Modules: When pam-u2f is used in conjunction with other PAM modules that do not perform authentication, forcing a PAM_IGNORE response would prevent any authentication from occurring. If the user has administrative privileges, this could lead to local privilege escalation. This scenario also carries a CVSS score of 7.3.
Conclusion
Yubico urges affected customers to immediately upgrade to the latest version of pam-u2f to protect against the 2FA bypass vulnerability, with alternative mitigation measures available for those unable to update right away. This advisory highlights the crucial role of two-factor authentication (2FA) in securing systems, while also showing that vulnerabilities within 2FA solutions can still pose risks.
