TS-2025-007

Vulnerability from tailscale - Published: Fri, 07 Nov 2025 00:00:00 GMT

Description: A one-off auth key could be reused from multiple devices

What happened?

A time-of-check/time-of-use (TOCTOU) issue allowed multiple nodes to register using the same one-off auth key. These registration attempts would have to happen at approximately the same time to succeed.

The Tailscale coordination server relies on database transactions to ensure consistency and prevent race conditions. The API handler for node registration requests uses a read transaction to validate the request, including the auth key, and then a separate write transaction to complete the registration. One-off auth keys are invalidated during the write transaction stage. Previously, if two registration requests came in at the same time they would both successfully validate the auth key during the read transaction and proceed to register the node. We fixed the API handler to re-validate the auth key during the write transaction stage to catch this race condition.

What was the impact?

A one-off auth key could be reused multiple times to register multiple nodes, rather than just one.

Who was affected?

Tailnets using one-off auth keys through automation. All nodes would have to obtain a legitimate auth key for the tailnet. Malicious nodes cannot abuse this issue to join the tailnet.

Tailscale audit logs do not have enough information to detect this race condition happening. We plan to improve our audit logs to make detection of incidents involving auth keys easier in the future.

What do I need to do?

No action is required. Tailscale has deployed a fix to the coordination server as of 2025-11-07.

Credits

We would like to thank madisp for reporting this issue.

Show details on source website
To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2025-007",
  "link": "https://tailscale.com/security-bulletins/#ts-2025-007",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2025-007",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Fri, 07 Nov 2025 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: A one-off auth key could be reused from multiple devices\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eA time-of-check/time-of-use (TOCTOU) issue allowed multiple nodes to register\nusing the same \u003ca href=\"https://tailscale.com/kb/1085/auth-keys\"\u003eone-off auth key\u003c/a\u003e. These registration attempts\nwould have to happen at approximately the same time to succeed.\u003c/p\u003e\n\u003cp\u003eThe Tailscale coordination server relies on database transactions to ensure\nconsistency and prevent race conditions. The API handler for node registration\nrequests uses a read transaction to validate the request, including the auth\nkey, and then a separate write transaction to complete the registration.\nOne-off auth keys are invalidated during the write transaction stage.\nPreviously, if two registration requests came in at the same time they would\nboth successfully validate the auth key during the read transaction and proceed\nto register the node. We fixed the API handler to re-validate the auth key\nduring the write transaction stage to catch this race condition.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA one-off auth key could be reused multiple times to register multiple\nnodes, rather than just one.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eTailnets using one-off auth keys through automation. All nodes would have to\nobtain a legitimate auth key for the tailnet. Malicious nodes cannot abuse this\nissue to join the tailnet.\u003c/p\u003e\n\u003cp\u003eTailscale audit logs do not have enough information to detect this race\ncondition happening. We plan to improve our audit logs to make detection of\nincidents involving auth keys easier in the future.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2025-11-07.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/madisp\"\u003emadisp\u003c/a\u003e for reporting this issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: A one-off auth key could be reused from multiple devices\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eA time-of-check/time-of-use (TOCTOU) issue allowed multiple nodes to register\nusing the same \u003ca href=\"https://tailscale.com/kb/1085/auth-keys\"\u003eone-off auth key\u003c/a\u003e. These registration attempts\nwould have to happen at approximately the same time to succeed.\u003c/p\u003e\n\u003cp\u003eThe Tailscale coordination server relies on database transactions to ensure\nconsistency and prevent race conditions. The API handler for node registration\nrequests uses a read transaction to validate the request, including the auth\nkey, and then a separate write transaction to complete the registration.\nOne-off auth keys are invalidated during the write transaction stage.\nPreviously, if two registration requests came in at the same time they would\nboth successfully validate the auth key during the read transaction and proceed\nto register the node. We fixed the API handler to re-validate the auth key\nduring the write transaction stage to catch this race condition.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA one-off auth key could be reused multiple times to register multiple\nnodes, rather than just one.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eTailnets using one-off auth keys through automation. All nodes would have to\nobtain a legitimate auth key for the tailnet. Malicious nodes cannot abuse this\nissue to join the tailnet.\u003c/p\u003e\n\u003cp\u003eTailscale audit logs do not have enough information to detect this race\ncondition happening. We plan to improve our audit logs to make detection of\nincidents involving auth keys easier in the future.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2025-11-07.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/madisp\"\u003emadisp\u003c/a\u003e for reporting this issue.\u003c/p\u003e"
  },
  "title": "TS-2025-007",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2025-007"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.