CVE-2025-64101
📋 TL;DR
This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can redirect users to malicious domains to capture reset codes and gain unauthorized account access. Users without MFA or passwordless authentication are primarily affected.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover for users without MFA, potentially leading to privilege escalation, data theft, and lateral movement within the organization.
Likely Case
Targeted account compromise of users who click manipulated password reset emails, with attackers gaining access to sensitive identity management systems.
If Mitigated
Minimal impact for accounts with MFA or passwordless authentication enabled, as these require additional verification beyond the reset code.
🎯 Exploit Status
Attack requires ability to manipulate HTTP headers (host header injection) and user interaction (clicking email link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0, 3.4.3, or 2.71.18
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23
Restart Required: Yes
Instructions:
1. Identify your Zitadel version. 2. Upgrade to 4.6.0, 3.4.3, or 2.71.18 based on your major version. 3. Restart Zitadel services. 4. Verify the fix by testing password reset functionality.
🔧 Temporary Workarounds
Enable MFA for all users
allRequire Multi-Factor Authentication for all accounts to mitigate the impact even if exploitation occurs.
Configure reverse proxy to strip suspicious headers
linuxConfigure load balancers or reverse proxies to strip or validate X-Forwarded-Host and Forwarded headers.
# Example nginx configuration to strip headers
proxy_set_header X-Forwarded-Host "";
proxy_set_header Forwarded "";
🧯 If You Can't Patch
- Implement network controls to prevent host header injection attacks at the perimeter.
- Enable MFA for all users and monitor for suspicious password reset attempts.
🔍 How to Verify
Check if Vulnerable:
Check Zitadel version against affected versions; test password reset functionality with manipulated X-Forwarded-Host headers.Check Version:
Check Zitadel admin interface or run: docker inspect zitadel | grep -i versionVerify Fix Applied:
After patching, verify password reset links no longer use manipulated headers and test with header injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual X-Forwarded-Host header values in password reset requests
- Multiple failed password reset attempts from same IP
Network Indicators:
- HTTP requests with manipulated Forwarded or X-Forwarded-Host headers
SIEM Query:
source="zitadel" AND (http_header="X-Forwarded-Host" OR http_header="Forwarded") AND action="password_reset"