Zitadel up to 2.71.5 Token Endpoint/Introspection Endpoint key expiration date

Summaryinfo

A vulnerability labeled as problematic has been found in Zitadel up to 2.71.5. This vulnerability affects unknown code of the component Token Endpoint/Introspection Endpoint. Such manipulation leads to key expiration date. This vulnerability is listed as CVE-2025-31123. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Zitadel up to 2.71.5. It has been rated as problematic. Affected by this issue is an unknown part of the component Token Endpoint/Introspection Endpoint. The manipulation with an unknown input leads to a key expiration date vulnerability. Using CWE to declare the problem leads to CWE-324. The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2025-31123 since 03/26/2025. The exploitation is known to be easy. The attack may be launched remotely. Additional levels of successful authentication are necessary for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1600.001.

Upgrading to version 2.63.9, 2.64.6, 2.65.7, 2.66.16, 2.67.13, 2.68.9, 2.69.9, 2.70.8 or 2.71.6 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.63.0
• 2.63.1
• 2.63.2
• 2.63.3
• 2.63.4
• 2.63.5
• 2.63.6
• 2.63.7
• 2.63.8
• 2.64.0
• 2.64.1
• 2.64.2
• 2.64.3
• 2.64.4
• 2.64.5
• 2.65.0
• 2.65.1
• 2.65.2
• 2.65.3
• 2.65.4
• 2.65.5
• 2.65.6
• 2.66.0
• 2.66.1
• 2.66.2
• 2.66.3
• 2.66.4
• 2.66.5
• 2.66.6
• 2.66.7
• 2.66.8
• 2.66.9
• 2.66.10
• 2.66.11
• 2.66.12
• 2.66.13
• 2.66.14
• 2.66.15
• 2.67.0
• 2.67.1
• 2.67.2
• 2.67.3
• 2.67.4
• 2.67.5
• 2.67.6
• 2.67.7
• 2.67.8
• 2.67.9
• 2.67.10
• 2.67.11
• 2.67.12
• 2.68.0
• 2.68.1
• 2.68.2
• 2.68.3
• 2.68.4
• 2.68.5
• 2.68.6
• 2.68.7
• 2.68.8
• 2.69.0
• 2.69.1
• 2.69.2
• 2.69.3
• 2.69.4
• 2.69.5
• 2.69.6
• 2.69.7
• 2.69.8
• 2.70.0
• 2.70.1
• 2.70.2
• 2.70.3
• 2.70.4
• 2.70.5
• 2.70.6
• 2.70.7
• 2.71.0
• 2.71.1
• 2.71.2
• 2.71.3
• 2.71.4
• 2.71.5

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion