Identity Infrastructure Vulnerability in Zitadel Affecting Token Authorization
CVE-2025-31123

8.7HIGH

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
31 March 2025

Summary

A vulnerability in Zitadel, the open-source identity infrastructure software, allows attackers to exploit expired JWT keys to retrieve valid access tokens. The issue arises from Zitadel's failure to adequately check the expiration date of JWT keys used in Authorization Grants, potentially granting unauthorized access. Notably, this vulnerability does not impact the correct validation processes for JWT Profile in OAuth 2.0 Client Authentication on Token and Introspection endpoints. A patch has been issued addressing this issue in the latest versions.

Affected Version(s)

zitadel >= 2.62.0, < 2.63.9 < 2.62.0, 2.63.9

zitadel >= 2.64.0-rc.1, < 2.64.6 < 2.64.0-rc.1, 2.64.6

zitadel >= 2.65.0-rc.1, < 2.65.7 < 2.65.0-rc.1, 2.65.7

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/315503beabd679f...
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.63.9
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.