CVE-2025-67494
published 2025-12-09CVE-2025-67494: ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The…
PriorityP357high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.45%
36.0th percentile
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| github.com | zitadel_zitadel | 1.83.4 – 1.87.5 | — |
| github.com | zitadel_zitadel | >= 1.83.4 | — |
| github.com | zitadel_zitadel | >= 4.0.0-rc.1 < 4.7.1 | 4.7.1 |
| github.com | zitadel_zitadel_v2 | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| zitadel | zitadel | < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 4.0.0 < 4.7.1 | 4.7.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
osv·2025-12-15
CVE-2025-67494 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v4.0.0-rc.1 before v4.7.1.
OSV
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
osv·2025-12-08
CVE-2025-67494 [CRITICAL] ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
### Summary
Zitadel is vulnerable to an unauthenticated, full-read SSRF vulnerability. An unauthenticated remote attacker can force Zitadel into making HTTP requests to arbitrary domains, including internal addresses. The server then returns the upstream response to the attacker, enabling data exfiltration from internal services.
### Impact
ZITADEL Login UI (V2) was vulnerable to service URL manipulation through the x-zitadel-forward-host header. The service URL resolution logic treated the header as a trusted fallback for all deployments, including self-hosted instances. This allowed unauthenticated attacker to force the server to make outbound requests and read the responses, reaching internal services, exfiltrating da
GHSA
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
ghsa·2025-12-08
CVE-2025-67494 [CRITICAL] CWE-918 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
### Summary
Zitadel is vulnerable to an unauthenticated, full-read SSRF vulnerability. An unauthenticated remote attacker can force Zitadel into making HTTP requests to arbitrary domains, including internal addresses. The server then returns the upstream response to the attacker, enabling data exfiltration from internal services.
### Impact
ZITADEL Login UI (V2) was vulnerable to service URL manipulation through the x-zitadel-forward-host header. The service URL resolution logic treated the header as a trusted fallback for all deployments, including self-hosted instances. This allowed unauthenticated attacker to force the server to make outbound requests and read the responses, reaching internal services, exfiltrating da
No detection rules found.
No public exploits indexed.
2025-12-09
Published