Platform
php
Component
xenforo
Fixed in
2.3.7
CVE-2025-71279 affects XenForo versions 2.3.0 through 2.3.7. This vulnerability impacts Passkey-based authentication, allowing a malicious actor to potentially bypass the security measures and gain unauthorized access to user accounts. The issue has been resolved in XenForo version 2.3.7, and users are strongly advised to upgrade immediately.
The core impact of CVE-2025-71279 lies in the circumvention of Passkey authentication. Passkeys are designed to provide a more secure and user-friendly alternative to traditional passwords. This vulnerability essentially negates that security benefit. An attacker exploiting this flaw could gain access to user accounts without needing to know the Passkey itself. The potential consequences are severe, including unauthorized data access, modification of user profiles, and potentially even administrative control depending on the user's permissions. The blast radius extends to all users who have configured Passkeys for authentication within their XenForo accounts.
CVE-2025-71279 was publicly disclosed on 2026-04-01. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept (PoC) exploits. The vulnerability has not been added to the CISA KEV catalog. The severity score of 9.8 indicates a critical risk, suggesting that if exploited, the impact could be significant.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-71279 is to upgrade XenForo to version 2.3.7 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime constraints, consider temporarily disabling Passkey authentication as a workaround. This will force users to rely on alternative authentication methods, reducing the attack surface. Monitor XenForo logs for any suspicious activity related to authentication attempts, particularly those involving Passkeys. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to detect and block suspicious authentication patterns.
Update XenForo to version 2.3.7 or later. This version contains the security fixes necessary to mitigate the Passkey security bypass vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-71279 is a critical vulnerability in XenForo versions 2.3.0–2.3.7 that allows attackers to bypass Passkey authentication, potentially gaining unauthorized access to user accounts.
Yes, if you are using XenForo versions 2.3.0 through 2.3.7 and have enabled Passkey authentication, you are potentially affected by this vulnerability.
The recommended fix is to upgrade XenForo to version 2.3.7 or later. As a temporary workaround, consider disabling Passkey authentication until you can upgrade.
Currently, there is no evidence of active exploitation in the wild, but the vulnerability's critical severity warrants immediate attention and remediation.
Please refer to the official XenForo security advisory for detailed information and updates regarding CVE-2025-71279: [https://xenforo.com/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.