Platform
go
Component
github.com/zitadel/zitadel
Fixed in
1.80.1
1.83.5
4.0.1
1.80.0-v2.20.0.20251208091519-4c879b47334e
CVE-2025-67494 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Zitadel, an open-source authentication server. This flaw allows unauthenticated attackers to perform full-read operations, potentially accessing internal resources and sensitive data. The vulnerability impacts versions prior to 4.7.1, and a fix is available in version 1.80.0-v2.20.0.20251208091519-4c879b47334e.
The SSRF vulnerability in Zitadel allows an attacker to craft malicious requests that the server will forward to arbitrary internal or external resources. Because the authentication is bypassed, an attacker does not need valid credentials to exploit this vulnerability. This can lead to the exposure of sensitive data stored within the Zitadel instance, such as configuration files, database backups, or internal API endpoints. Successful exploitation could also enable attackers to scan internal networks for other vulnerable services, facilitating lateral movement and expanding the attack surface. The full-read capability significantly increases the potential impact, allowing attackers to gather a comprehensive view of the system's internal workings.
Public proof-of-concept (PoC) code for this vulnerability is likely to emerge given its critical severity and SSRF nature. The vulnerability's unauthenticated nature significantly increases the likelihood of exploitation. While no active campaigns have been publicly confirmed as of the publication date, the ease of exploitation suggests it could become a target for opportunistic attackers. The vulnerability was disclosed on 2025-12-15.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67494 is to immediately upgrade Zitadel to version 1.80.0-v2.20.0.20251208091519-4c879b47334e or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds such as restricting outbound network access from the Zitadel server to only necessary destinations. Web Application Firewalls (WAFs) configured to detect and block SSRF attempts can also provide a layer of defense. Monitor Zitadel logs for unusual outbound requests that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a request to an internal resource and verifying that it is denied.
Update ZITADEL to version 4.7.1 or higher. This version fixes the SSRF vulnerability that allows unauthenticated attackers to make HTTP requests to arbitrary domains from the server. The update prevents data exfiltration and network segmentation control bypass.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67494 is a critical SSRF vulnerability in Zitadel allowing unauthenticated attackers to read internal resources. It affects versions before 4.7.1 and requires immediate attention.
If you are running Zitadel versions prior to 4.7.1, you are vulnerable. Check your version and upgrade as soon as possible.
Upgrade Zitadel to version 1.80.0-v2.20.0.20251208091519-4c879b47334e or later. Consider temporary workarounds if immediate upgrade is not possible.
While no active campaigns are confirmed, the vulnerability's severity and ease of exploitation suggest it is a potential target.
Refer to the Zitadel security advisory for detailed information and updates: [https://github.com/zitadel/zitadel/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.