Session Management Vulnerability in ZITADEL Identity Management System
CVE-2025-53895

7.7HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
15 July 2025

What is CVE-2025-53895?

The ZITADEL Identity Management System contains a flaw in its session management API, which allows authenticated users to update sessions if they possess the session ID. This vulnerability occurs due to an inadequate permission check. As a result, it opens the door for session hijacking attacks, enabling malicious users to impersonate others and gain unauthorized access to sensitive data. Versions released prior to 2.53.0 implemented session tokens to handle updates securely. To mitigate this risk, users should update to versions 4.0.0-rc.2, 3.3.2, 2.71.13, or 2.70.14, which incorporate necessary fixes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

zitadel = 4.0.0-rc.1 = 4.0.0-rc.1

zitadel >= 3.0.0, < 3.3.1 < 3.0.0, 3.3.1

zitadel >= 2.53.0, < 2.70.14 < 2.53.0, 2.70.14

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.70.14
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.71.13
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.