Plattform
go
Komponente
github.com/zitadel/zitadel
Behoben in
1.80.1
1.83.5
4.0.1
1.80.0-v2.20.0.20251208091519-4c879b47334e
CVE-2025-67494 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting Zitadel, an identity provider. This vulnerability allows an unauthenticated attacker to perform full-read operations, potentially exposing sensitive internal resources and data. The vulnerability impacts versions 4.0.0-rc.1 prior to 4.7.1. A fix has been released in version 1.80.0-v2.20.0.20251208091519-4c879b47334e.
The SSRF vulnerability in Zitadel allows an attacker to craft malicious requests that originate from the Zitadel server itself. This enables them to bypass access controls and read data from internal services or external resources that Zitadel would normally not be able to access. Successful exploitation could lead to the exposure of sensitive configuration data, API keys, or even internal database contents. The 'full-read' nature of the vulnerability significantly expands the potential attack surface, as the attacker is not limited to specific endpoints or data types. This could be leveraged for reconnaissance, data exfiltration, or even as a stepping stone for further attacks within the internal network.
The vulnerability was publicly disclosed on 2025-12-15. Currently, there are no known active campaigns targeting this specific SSRF vulnerability. Public proof-of-concept (POC) code is not yet available, but the SSRF nature of the vulnerability makes it likely that POCs will emerge. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation if the vulnerability remains unpatched. It is recommended to prioritize remediation efforts.
Organizations utilizing Zitadel as their authentication server, particularly those with exposed instances or those running older versions (prior to 4.7.1), are at significant risk. Shared hosting environments where multiple users share a single Zitadel instance are also particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of the entire instance.
• linux / server:
journalctl -u zitadel -f | grep -i "Server-Side Request Forgery"• generic web:
curl -I <zitadel_url>/internal_endpoint # Check for unexpected responses• generic web:
grep -r "internal_url" /etc/zitadel/config.yml # Check for exposed internal URLs in configdisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-67494 is to immediately upgrade Zitadel to version 1.80.0-v2.20.0.20251208091519-4c879b47334e or a later patched version. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the Zitadel server using a firewall or network segmentation. Review and tighten access control policies within your internal network to minimize the potential impact of a successful SSRF attack. Monitor Zitadel logs for suspicious outbound requests that might indicate exploitation attempts. While a WAF might offer some protection, it's not a substitute for patching.
Aktualisieren Sie ZITADEL auf Version 4.7.1 oder höher. Diese Version behebt die SSRF-Vulnerabilität, die es nicht authentifizierten Angreifern ermöglicht, HTTP-Anfragen an beliebige Domänen vom Server aus zu senden. Das Update verhindert die Exfiltration von Daten und den Umgehung von Netzwerksegmentierungs-Kontrollen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67494 is a critical SSRF vulnerability in Zitadel allowing unauthenticated attackers to read internal resources. It affects versions before 4.7.1 and requires immediate attention.
If you are running Zitadel versions prior to 4.7.1, you are vulnerable. Check your version and upgrade as soon as possible.
Upgrade Zitadel to version 1.80.0-v2.20.0.20251208091519-4c879b47334e or later. Consider temporary workarounds if immediate upgrade is not possible.
While no active campaigns are confirmed, the vulnerability's severity and ease of exploitation suggest it is a potential target.
Refer to the Zitadel security advisory for detailed information and updates: [https://github.com/zitadel/zitadel/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.