Vulnerability in Zitadel's Password Reset Mechanism
CVE-2025-64101
What is CVE-2025-64101?
Zitadel, an open-source identity infrastructure software, is affected by a vulnerability in its password reset mechanism prior to version 4.6.0, 3.4.3, and 2.71.18. This flaw involves the use of the Forwarded or X-Forwarded-Host header to generate a password reset confirmation URL. If manipulated by an attacker, the generated link could lead users to a malicious site. Consequently, the secret reset code within the link could be intercepted, potentially allowing the attacker to reset the user's password. Users with Multi-Factor Authentication (MFA) or Passwordless authentication enabled are less vulnerable to this attack. The vulnerability has been addressed in the latest versions of Zitadel.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.6.0 < 4.0.0-rc.1, 4.6.0
zitadel >= 3.0.0-rc.1, < 3.4.3 < 3.0.0-rc.1, 3.4.3
zitadel >= 2.0.0, < 2.71.18 < 2.0.0, 2.71.18