CVE-2025-10470: Magic Link Authentication Flaw Enables Denial-of-Service via Uncontrolled Memory Growth

A high-severity vulnerability has been identified in Magic Link authentication implementations, exposing systems to potential denial-of-service conditions through uncontrolled memory consumption. Assigned CVE-2025-10470 with a CVSS score of 8.6, the flaw stems from the authentication flow accepting multiple invalid requests without adequate rate limiting or resource controls. The vulnerability was discovered and reported by Patchstack.

The core issue lies in how Magic Link—a passwordless authentication method that sends time-sensitive links to user emails—handles repeated failed or malformed authentication attempts. Unlike traditional login systems that enforce strict request thresholds, the affected implementation fails to impose meaningful constraints on the volume of invalid authentication requests it will accept. This design gap allows an attacker to trigger excessive memory allocation by flooding the system with illegitimate authentication attempts, progressively degrading server performance until the service becomes unresponsive.

The flaw carries particular weight for deployments in high-traffic environments where authentication endpoints face constant request pressure. Systems relying on Magic Link without supplementary rate-limiting layers at the application or network layer remain vulnerable to exploitation. Organizations using Tenda-related authentication infrastructure are among those advised to audit their current implementations. Patching guidance has been issued through standard vulnerability disclosure channels, and administrators should prioritize applying available updates. Until patches are deployed, monitoring for unusual authentication request patterns and implementing temporary rate-limiting measures can help mitigate exposure.