Unauthenticated SSRF Vulnerability in ZITADEL Identity Infrastructure Tool
CVE-2025-67494

9.3CRITICAL

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-67494?

ZITADEL, an open-source identity infrastructure tool, contains a security flaw in versions 4.7.0 and earlier, which exposes the application to a full-read Server-Side Request Forgery (SSRF) vulnerability. This occurs because the ZITADEL Login UI (V2) mistakenly treats the 'x-zitadel-forward-host' header as a trusted source for all deployments, including self-hosted instances. An attacker, without authentication, can exploit this design flaw, compelling the server to initiate HTTP requests to unrestricted domains, including internal IP addresses. This opens the door to unauthorized data access and undermines network segmentation measures. The issue is resolved in version 4.7.1.

Affected Version(s)

zitadel < 1.80.0-v2.20.0.20251208091519-4c879b47334e < 1.80.0-v2.20.0.20251208091519-4c879b47334e

zitadel >= 1.83.4, <= 1.87.5 <= 1.83.4, 1.87.5

zitadel >= 4.0.0-rc.1, < 4.7.1 < 4.0.0-rc.1, 4.7.1

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/zitadel/zitadel/commit/4c879b47334e01d...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Dec 8, 2025

JSON

Zitadel

What is CVE-2025-67494?

Affected Version(s)

References

CVSS V3.1

Timeline