GHSA-jhmr-57cj-q6g9: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-jhmr-57cj-q6g9) was discovered in Komari, affecting versions prior to 0.0.0-20250809064056-cc3d54bff4c6. The vulnerability is a logic error in the 2FA verification condition that allows bypass of two-factor authentication. The issue was discovered and published on August 9, 2025, and was subsequently reviewed and updated in the GitHub Advisory Database on August 12, 2025. The vulnerability received a CVSS score of 8.5, indicating high severity (GitHub Advisory).

The vulnerability stems from a logic error in the 2FA verification condition where there is no way for Verify2Fa to return an error AND true as ok simultaneously. The flaw is located in the login.go file at line 55, where the condition err != nil && ok is incorrectly implemented, causing any 6-digit code to be considered valid. The vulnerability has been assigned a CVSS v4 base score of 8.5, with attack vector: Network, attack complexity: Low, attack requirements: None, privileges required: High, and user interaction: None (GitHub Advisory).

The vulnerability allows attackers to bypass two-factor authentication mechanisms, potentially compromising account security. According to the CVSS metrics, the vulnerability has high impact on both confidentiality and integrity of the vulnerable system, though availability is not affected (GitHub Advisory).

The vulnerability has been patched in version 0.0.0-20250809064056-cc3d54bff4c6 (1.0.4-fix1). The fix involves correcting the logic condition in the 2FA verification process by changing the condition from err != nil && ok to err != nil || !ok (Komari Fix).