Yubico, a leading provider of security keys and authentication solutions, has issued a security advisory to address an authentication bypass vulnerability, CVE-2025-23013, in their open-source pam-u2f software package.
The pam-u2f package provides a Pluggable Authentication Module (PAM) for macOS and Linux systems, enabling users to authenticate with YubiKeys or other FIDO-compliant authenticators. However, a vulnerability in the software could allow an attacker with unprivileged user access to bypass authentication under certain conditions.
The issue lies in the pam_sm_authenticate() function, which can return a PAM_IGNORE response under specific error conditions, such as memory allocation failures or missing configuration files. A PAM_IGNORE response can lead to improper authentication decisions, potentially allowing attackers to bypass the verification of primary or secondary authentication factors.
“When a module returns PAM_IGNORE, it does not contribute to the final authentication decision performed by PAM,” Yubico notes.
The severity of this vulnerability varies based on how pam-u2f is configured:
- User-Managed Authfile: If the authfile is stored in the user’s home directory and pam-u2f is used as a single-factor authentication method with the nouserok option enabled, attackers can tamper with the authfile to trigger an authentication bypass.
- Centrally Managed Authfile: If the authfile is centrally managed and pam-u2f is used as a second-factor authentication method, attackers could exploit memory allocation errors to disable the second-factor verification.
- Single-Factor with Non-Auth Modules: If pam-u2f is used as a single-factor method alongside non-authentication PAM modules, attackers can exploit a PAM_IGNORE response to bypass all authentication checks.
Yubico has released version 1.3.1 of pam-u2f to address the CVE-2025-23013 vulnerability and strongly recommends that all users upgrade to the latest version. The company also provides alternative mitigation strategies for users who cannot immediately upgrade.
