Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-307 | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| CWE | CWE-799 | CWE-799: Improper Control of Interaction Frequency |
Type: CWE
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
Description: CWE-799: Improper Control of Interaction Frequency
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N