CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed
 One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)
 verification. An attacker who already knew or guessed a valid username 
and password could submit an arbitrary number of OTP codes without 
causing the account to be locked or generating any specific alert for 
administrators.


This lack of rate-limiting and lockout on OTP failures significantly 
lowers the cost of online brute-force attacks against 2FA codes and 
increases the risk of successful account takeover, especially if OTP 
entropy is reduced (e.g. short numeric codes, user reuse, or predictable
 tokens). Additionally, administrators had no direct visibility into 
accounts experiencing repeated 2FA failures, making targeted attacks 
harder to detect and investigate.


The patch introduces a persistent failed_otp_attempts counter on user 
accounts, locks the user after 5 invalid OTP submissions, resets the 
counter on successful verification, and surfaces failed 2FA attempts in 
the admin user list. This enforces an account lockout policy for OTP 
brute-force attempts and improves monitoring capabilities for suspicious
 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.