CVE-2025-67494

|
CVE-2025-67494 ZITADEL vulnerability security critical severity SSRF Server-Side Request Forgery CVE database unauthenticated SSRF data exfiltration

Summary

CVE-2025-67494 describes a critical severity Server-Side Request Forgery (SSRF) vulnerability affecting ZITADEL, an open-source identity infrastructure tool. Unauthenticated attackers can exploit this flaw to force the ZITADEL server to make HTTP requests to arbitrary domains, potentially leading to data exfiltration and bypassing network segmentation.

Technical Details

CVE-2025-67494 is an unauthenticated, full-read SSRF (Server-Side Request Forgery) vulnerability present in ZITADEL versions 4.7.0 and below. The vulnerability stems from the ZITADEL Login UI (V2) incorrectly trusting the x-zitadel-forward-host header. This header is intended to be used in specific deployment scenarios, but the Login UI treats it as a trusted fallback for all deployments, including self-hosted instances.

An attacker can exploit this by sending a crafted HTTP request to the ZITADEL Login UI, including a malicious x-zitadel-forward-host header. This header can specify an arbitrary URL. When the ZITADEL server processes this request, it will make an HTTP request to the URL specified in the x-zitadel-forward-host header. The server then returns the response from the arbitrary URL to the attacker. This allows the attacker to:

  • Scan internal network resources that are not publicly accessible.
  • Access sensitive data from internal services.
  • Potentially execute arbitrary code if the targeted internal service is vulnerable.

The vulnerability exists because the ZITADEL Login UI lacks proper validation and sanitization of the x-zitadel-forward-host header, allowing an attacker to control the destination of server-side HTTP requests.

Affected Products and Versions

  • ZITADEL versions 4.7.0 and below

Impact Assessment

Successful exploitation of CVE-2025-67494 can have severe consequences, including:

  • Data Exfiltration: An attacker can access sensitive data from internal services, such as databases, configuration files, and API endpoints.
  • Internal Network Scanning: The attacker can scan the internal network to identify other vulnerable services and systems.
  • Bypassing Network Segmentation: The attacker can bypass network segmentation controls, gaining access to resources that should be isolated.
  • Potential for Remote Code Execution: If the attacker can target a vulnerable internal service, they may be able to achieve remote code execution.

Remediation

Immediate Actions

  • Upgrade to ZITADEL version 4.7.1 or later: This version contains a fix for the SSRF vulnerability.
  • Monitor Network Traffic: Monitor network traffic for suspicious outbound requests originating from the ZITADEL server.

Long-term Solutions

  • Implement Strict Input Validation: Ensure that all user-supplied input, including HTTP headers, is properly validated and sanitized.
  • Principle of Least Privilege: Grant the ZITADEL server only the necessary permissions to access internal resources.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

References

Detection & Scanning

Detecting CVE-2025-67494 involves analyzing network traffic and application logs for suspicious activity. Look for outbound HTTP requests from the ZITADEL server to unexpected or internal IP addresses and domains. You can also use security scanners to identify vulnerable ZITADEL instances.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan