Hardware authentication security key provider Yubico has warned of a high-severity issue impacting its pam-u2f software package for Yubikey and FIDO-compliant device integration, which could be exploited to facilitate partial evasion of two-factor authentication defenses in macOS and Linux devices, The Cyber Express reports.
Yubico said the vulnerability — tracked as CVE-2025-23013 -- stems from inadequate authentication flow management within the pam_sm_authenticate() function. The company said it's slightly more severe in configurations involving single-factor authentication with user-managed AuthFile, as well as the utilization of pam-u2f for single-factor authentication with other Pluggable Authentication Modules, compared with scenarios involving 2FA with a centrally-managed AuthFile.
Organizations running pam-u2f prior to 1.3.1, especially those that used apt or manual means for pam-u2f installation in macOS and Linux systems, have been urged to immediately download the latest version of the software module to avoid potential compromise.
