CVE-2025-31123
HIGHDescription
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2025-31123? +
How severe is CVE-2025-31123? +
What products are affected by CVE-2025-31123? +
How do I check if I'm vulnerable to CVE-2025-31123? +
Related Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry …
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, …
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), …
In PQUIC before 5bde5bb, retention of unused initial encryption keys allows attackers to disrupt a connection with a PSK configuration …
Use of a key past its expiration date in Virtual Secure Mode allows an authorized attacker to perform spoofing locally.
IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an …