Vulnerability in Zitadel's Password Reset Mechanism
CVE-2025-64101
What is CVE-2025-64101?
CVE-2025-64101 is a vulnerability identified in Zitadel's open-source identity infrastructure software prior to versions 4.6.0, 3.4.3, and 2.71.18. The vulnerability is rooted in the password reset mechanism utilized by Zitadel, which constructs a password reset confirmation link from the Forwarded or X-Forwarded-Host headers received in incoming requests. If an attacker is able to manipulate these headers, they could generate a password reset link that directs users to a malicious domain under the attacker's control. This fabricated link contains a secret code that, if accessed by the user, can be intercepted by the attacker, allowing unauthorized access to the user’s account. It is crucial to emphasize that this vulnerability can be mitigated for users who have enabled Multi-Factor Authentication (MFA) or Passwordless authentication features.
Potential Impact of CVE-2025-64101
-
Unauthorized Access: If exploited, this vulnerability allows attackers to gain unauthorized access to user accounts by capturing the reset code through a manipulated link, leading to possible identity theft and data breaches.
-
Compromise of User Security: Attackers could take control of user accounts, which may result in further access to sensitive information and systems, with the risk of not only affecting individual users but potentially compromising organizational data.
-
Reputational Damage: Organizations affected by this vulnerability could face significant reputational damage, especially if user accounts are compromised and sensitive information is leaked, leading to a loss of customer trust and potential financial consequences.
Affected Version(s)
zitadel >= 4.0.0-rc.1, < 4.6.0 < 4.0.0-rc.1, 4.6.0
zitadel >= 3.0.0-rc.1, < 3.4.3 < 3.0.0-rc.1, 3.4.3
zitadel >= 2.0.0, < 2.71.18 < 2.0.0, 2.71.18