Advisories for Pypi/Edumfa package

2026

eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check

If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased.

eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage

For deployments using MySQL or MariaDB < 11.6.2 (or newer with innodb_snapshot_isolation=off) reusage of token values might be possible due to faulty transaction isolation inside the database. Exploiting this requires racing this transaction. Affected are all tokentypes whose values are only supposed to be used once, for example TOTP, HOTP and likely also WebAuthN.

eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges

In eduMFA < 2.9.1 userless Passkey/WebAuthn challenges might be replayed and do not expire

2024

BlastRADIUS also affects eduMFA

BlastRADIUS (see blastradius.fail for details) also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked.