CVE-2025-48936
📋 TL;DR
This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can redirect users to malicious domains to capture reset codes and gain unauthorized account access. Users without Multi-Factor Authentication (MFA) or Passwordless authentication are primarily affected.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover for users without MFA, leading to unauthorized access to sensitive systems and potential privilege escalation.
Likely Case
Targeted account compromise for specific users, potentially enabling lateral movement within the organization.
If Mitigated
Minimal impact for users with MFA or Passwordless authentication enabled, as these controls prevent successful exploitation.
🎯 Exploit Status
Attack requires ability to manipulate HTTP headers (e.g., via host header injection) and user interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.70.12, 2.71.10, or 3.2.2
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf
Restart Required: Yes
Instructions:
1. Identify your Zitadel version. 2. Upgrade to patched version: 2.70.12, 2.71.10, or 3.2.2 depending on your branch. 3. Restart Zitadel services. 4. Verify the fix by testing password reset functionality.
🔧 Temporary Workarounds
Enable MFA/Passwordless
allRequire Multi-Factor Authentication or Passwordless authentication for all users to mitigate the vulnerability.
Filter HTTP Headers
allConfigure reverse proxies or web application firewalls to strip or validate Forwarded and X-Forwarded-Host headers.
🧯 If You Can't Patch
- Enable MFA or Passwordless authentication for all user accounts immediately
- Implement network controls to prevent manipulation of HTTP headers at perimeter devices
🔍 How to Verify
Check if Vulnerable:
Check Zitadel version via admin interface or configuration files. If version is below 2.70.12, 2.71.10, or 3.2.2, system is vulnerable.Check Version:
Check Zitadel configuration or admin dashboard for version informationVerify Fix Applied:
After patching, test password reset functionality while attempting to manipulate Forwarded or X-Forwarded-Host headers to confirm they are no longer used in URL construction.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in password reset requests
- Requests with manipulated Forwarded or X-Forwarded-Host headers
Network Indicators:
- HTTP requests with suspicious host headers
- Outbound connections to unexpected domains during password reset flows
SIEM Query:
source="zitadel" AND (event="password_reset" AND (header="Forwarded" OR header="X-Forwarded-Host") AND value NOT IN allowed_domains)