Critical ZITADEL Flaws (CVE-2025-67494, CVSS 9.3) Risk SSRF Internal Breach and Account Hijack via XSS

The security team behind ZITADEL, the open-source identity management platform, has issued urgent advisories regarding three high-severity vulnerabilities discovered in its V2 Login UI. The flaws, which range from critical Server-Side Request Forgery (SSRF) to insidious Cross-Site Scripting (XSS) attacks, could allow unauthenticated attackers to hijack user accounts and breach internal networks.

The “Full-Read” Breach: CVE-2025-67494

The most critical of the three, carrying a CVSS score of 9.3, is an unauthenticated SSRF vulnerability. This flaw allows attackers to weaponize the platform’s URL resolution logic against itself.

According to the advisory, the login interface “was vulnerable to service URL manipulation through the x-zitadel-forward-host header”. Because the system treated this header as a trusted fallback, an external attacker could “force the server to make outbound requests and read the responses, reaching internal services, exfiltrating data, and bypassing IP-based or network-segmentation controls”.

The “Logout” Trap: CVE-2025-67495

The second vulnerability, rated CVSS 8.0, turns the logout process into a weapon. This DOM-Based XSS flaw exists within the post_logout_redirect parameter of the logout endpoint.

The advisory warns that the UI “did not ensure that this parameter contained an allowed value and even executed passed scripts”. By crafting a malicious logout link, an attacker could execute JavaScript in a victim’s browser. “By doing so, such an attacker could reset the password of their victims, and take over their accounts,” provided multiple user sessions are active.

The “Reset” Hijack: Improper Instance Validation

The third advisory details a CVSS 8.1 vulnerability involving Host Header Injection. This flaw specifically targets the password reset mechanism.

ZITADEL uses incoming headers to construct the URL for password reset links sent via email. “If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker”.

If a user clicks this poisoned link, the secret reset code is sent directly to the attacker. “This captured code could then be used to reset the user’s password and gain unauthorized access to their account”.

Immediate Remediation

All three vulnerabilities have been addressed in ZITADEL version 4.7.1. The patches involve “correctly validating the X-Forwarded-Host and Forwarded headers against the instance custom and trusted domains” and securing the logout flow with JSON Web Tokens (JWT).

For organizations unable to upgrade immediately, a critical workaround is available: “A ZITADEL fronting proxy can be configured to delete all forwarded header values or set it to the requested host before sending requests to ZITADEL self-hosted environments”.

Related Posts:

• ZITADEL Flaw: Host Header Injection Risks Account Takeover (Password Reset)
• CVE-2025-27507 (CVSS 9.0): ZITADEL Users at Risk of Account Takeover
• CVE-2023-20862: High-severity security vulnerability affecting Spring Framework
• nopCommerce Flaw (CVE-2025-11699) Allows Admin Takeover by Reusing Session Cookies After Logout
• Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers