CVE-2025-67494 in Zitadel
Summary
by MITRE • 12/10/2025
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/20/2025
The vulnerability described in CVE-2025-67494 represents a critical security flaw in ZITADEL identity infrastructure software that affects versions 4.7.0 and earlier. This issue manifests as an unauthenticated server-side request forgery vulnerability that fundamentally undermines the security boundaries of self-hosted deployments. The vulnerability specifically targets the ZITADEL Login UI version 2 implementation where the system incorrectly trusts the x-zitadel-forward-host header without proper validation or authentication checks. This header is intended to provide fallback functionality but is being treated as a legitimate source of host information across all deployment scenarios including those that are self-hosted and potentially isolated from external networks.
The technical exploitation of this vulnerability occurs through the manipulation of HTTP headers that the application processes without adequate verification. When an attacker crafts a request with a malicious x-zitadel-forward-host header value, the vulnerable system accepts this input and uses it to construct subsequent HTTP requests to arbitrary destinations. This behavior enables attackers to bypass standard network segmentation controls and gain access to internal systems that would normally be protected from external network access. The vulnerability is particularly dangerous because it allows for full read access to responses from targeted internal services, potentially enabling comprehensive data exfiltration and reconnaissance activities.
From an operational impact perspective, this vulnerability creates a significant risk for organizations relying on self-hosted ZITADEL deployments where internal network resources are assumed to be protected from external access. The attack vector requires no authentication credentials, making it particularly dangerous as it can be exploited by anyone with access to the vulnerable system. The ability to make arbitrary HTTP requests to internal addresses means that attackers can potentially access internal APIs, databases, or other sensitive systems that are not directly exposed to the internet. This vulnerability essentially provides a backdoor mechanism for bypassing network security controls and can lead to unauthorized data access, system compromise, and potential lateral movement within the affected network environment.
The fix implemented in version 4.7.1 addresses this vulnerability by properly validating and sanitizing the x-zitadel-forward-host header before using it in any HTTP request construction. This remediation aligns with industry best practices for input validation and secure coding standards. Organizations should prioritize upgrading to version 4.7.1 or later to mitigate this risk. Additionally, security teams should conduct thorough network monitoring to detect any suspicious outbound requests that might indicate exploitation attempts. The vulnerability falls under CWE-918, which specifically addresses server-side request forgery vulnerabilities, and can be mapped to ATT&CK technique T1071.004 for application layer protocol tunneling. This issue highlights the importance of proper header validation and the dangers of trusting unauthenticated input in security-critical applications, particularly in identity infrastructure tools where the compromise can have widespread implications across an organization's authentication and access control systems.