CVE-2025-67495
published 2025-12-09CVE-2025-67495: ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout…
PriorityP433medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.26%
17.3th percentile
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| github.com | zitadel_zitadel | 1.83.4 – 1.87.5 | — |
| github.com | zitadel_zitadel | >= 1.83.4 | — |
| github.com | zitadel_zitadel | >= 4.0.0-rc.1 < 4.7.1 | 4.7.1 |
| github.com | zitadel_zitadel_v2 | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| zitadel | zitadel | < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 4.0.0 < 4.7.1 | 4.7.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
osv·2025-12-15
CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v4.0.0-rc.1 before v4.7.1.
GHSA
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
ghsa·2025-12-08
CVE-2025-67495 [HIGH] CWE-79 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
### Summary
A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a `post_logout_redirect`. When this parameter is specified, users will be redirected to the site that is provided via this parameter.
ZITADEL's login UI did not ensure that this parameter contained an allowed value and even executed passed scripts.
### Impact
Zitadel is vulnerable to a DOM-Based XSS vulnerability. More specifically, the /logout endpoint insecurely routed to value that is supplied in the post_logout_redirect GET parameter. As a result, malicious JS code could be executed on Zitadel users’ browsers, in the Zitadel V2 Login domain.
An unauthenticated remote att
OSV
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
osv·2025-12-08
CVE-2025-67495 [HIGH] ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
### Summary
A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a `post_logout_redirect`. When this parameter is specified, users will be redirected to the site that is provided via this parameter.
ZITADEL's login UI did not ensure that this parameter contained an allowed value and even executed passed scripts.
### Impact
Zitadel is vulnerable to a DOM-Based XSS vulnerability. More specifically, the /logout endpoint insecurely routed to value that is supplied in the post_logout_redirect GET parameter. As a result, malicious JS code could be executed on Zitadel users’ browsers, in the Zitadel V2 Login domain.
An unauthenticated remote att
No detection rules found.
No public exploits indexed.
2025-12-09
Published