CVE-2025-67494: ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-67494

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login

Source: NVD (National Vulnerability Database)

Vulnerability Description

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

ZITADEL 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

ZITADEL是瑞士ZITADEL开源的一个 Auth0、Firebase Auth、AWS Cognito 以及为容器和无服务器时代构建的 Keycloak 的现代开源替代方案。 ZITADEL 4.7.0及之前版本存在代码问题漏洞，该漏洞源于x-zitadel-forward-host标头处理不当，可能导致未经验证的服务端请求伪造攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
zitadel	zitadel	< 1.80.0-v2.20.0.20251208091519-4c879b47334e	-

II. Public POCs for CVE-2025-67494

#	POC Description	Source Link	Shenlong Link
1	None	https://github.com/Chocapikk/CVE-2025-67494	POC Details

AI-Generated POCPremium

Qwen3.5-35B-A3B-UD-Q4_K_XL.gguf · 8253 chars

Paid plan includes:

In-depth vulnerability mechanism

Trigger conditions & impact

Full executable POC code

Exploit chain & mitigation

POC zip download

100+ AI POC generations per month

Upgrade Pro to unlock ¥99/month Sign up first

III. Intelligence Information for CVE-2025-67494

Please Login to view more intelligence information

https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-67494

IV. Related Vulnerabilities

Same product: zitadel

Same vendor: zitadel

Same weakness: CWE-918

V. Comments for CVE-2025-67494

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-67494

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-67494

III. Intelligence Information for CVE-2025-67494

IV. Related Vulnerabilities

V. Comments for CVE-2025-67494

Leave a comment