CVE-2025-64101 in Zitadel
Summary
by MITRE • 10/29/2025
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/29/2025
The vulnerability described in CVE-2025-64101 affects ZITADEL, an open-source identity infrastructure software platform that provides authentication and authorization services. This security flaw exists in versions prior to 4.6.0, 3.4.3, and 2.71.18, representing a critical weakness in the password reset functionality that could enable attackers to hijack user accounts. The vulnerability stems from the software's improper handling of HTTP headers during the password reset process, creating an attack surface that directly impacts user account security and system integrity.
The technical flaw manifests through the improper use of Forwarded or X-Forwarded-Host headers in the password reset mechanism. When users request password resets, ZITADEL constructs confirmation links by incorporating these headers into the URL generation process. This approach creates a dangerous dependency on potentially manipulable HTTP headers that are commonly used for load balancing and proxy configurations. The vulnerability allows attackers to perform host header injection attacks, where they can manipulate these headers to redirect the password reset confirmation links to attacker-controlled domains. This manipulation occurs because the system trusts the header values without proper validation or sanitization, directly violating secure coding principles and header validation best practices.
The operational impact of this vulnerability is severe and directly threatens user account security. An attacker who successfully manipulates these headers can generate legitimate-looking password reset emails containing links that point to malicious domains. When victims click these links, the secret reset codes embedded within the URLs become exposed to the attacker, enabling them to reset passwords and gain unauthorized access to user accounts. This attack vector represents a classic case of open redirect vulnerability, where the system fails to properly validate redirect targets, potentially leading to account takeover scenarios. The vulnerability affects all users except those with Multi-Factor Authentication or Passwordless authentication enabled, which provides additional security layers that mitigate this specific attack vector according to industry security standards.
The security implications extend beyond simple account compromise, as successful exploitation could lead to broader system infiltration and data breaches. This vulnerability aligns with CWE-601 Open Redirect vulnerability classification and represents a significant concern in the context of identity management systems where authentication mechanisms are paramount. The attack scenario demonstrates how seemingly benign header processing can create critical security weaknesses that directly impact user trust and system security posture. Organizations using affected ZITADEL versions face potential unauthorized access to user accounts, which could result in data exposure, service disruption, and compliance violations. The fix implemented in versions 4.6.0, 3.4.3, and 2.71.18 addresses this through proper header validation and input sanitization, ensuring that password reset links are generated using trusted source information rather than potentially manipulated HTTP headers. This remediation approach aligns with ATT&CK framework techniques related to credential access and privilege escalation, emphasizing the importance of validating user inputs and implementing proper access controls in authentication systems.