Zitadel up to 2.70.11/2.71.10/3.2.1 Forwarded/X-Forwarded-Host redirect

Summaryinfo

A vulnerability identified as problematic has been detected in Zitadel up to 2.70.11/2.71.10/3.2.1. Affected by this issue is some unknown functionality. Performing a manipulation of the argument Forwarded/X-Forwarded-Host results in redirect. This vulnerability is identified as CVE-2025-48936. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Zitadel up to 2.70.11/2.71.10/3.2.1. It has been classified as problematic. This affects some unknown functionality. The manipulation of the argument Forwarded/X-Forwarded-Host with an unknown input leads to a redirect vulnerability. CWE is classifying the issue as CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. This is going to have an impact on integrity. The summary by CVE is:

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2025-48936 since 05/28/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1204.001 for this issue.

Upgrading to version 2.70.12 or 3.2.2 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.70.0
• 2.70.1
• 2.70.2
• 2.70.3
• 2.70.4
• 2.70.5
• 2.70.6
• 2.70.7
• 2.70.8
• 2.70.9
• 2.70.10
• 2.70.11
• 2.71.0
• 2.71.1
• 2.71.2
• 2.71.3
• 2.71.4
• 2.71.5
• 2.71.6
• 2.71.7
• 2.71.8
• 2.71.9
• 2.71.10
• 3.2.0
• 3.2.1

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion