CVE-2025-67494
📋 TL;DR
CVE-2025-67494 is an unauthenticated server-side request forgery (SSRF) vulnerability in ZITADEL identity infrastructure. Attackers can force the ZITADEL Login UI to make HTTP requests to arbitrary internal or external domains and read the responses, potentially exposing sensitive data. All self-hosted ZITADEL deployments running vulnerable versions are affected.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Complete data exfiltration from internal services, credential theft from metadata services, lateral movement to cloud management APIs, and bypass of network segmentation controls.
Likely Case
Exfiltration of internal service data, reconnaissance of internal network topology, and potential access to cloud metadata services in cloud deployments.
If Mitigated
Limited impact if network segmentation prevents outbound requests and internal services require authentication.
🎯 Exploit Status
Exploitation requires only HTTP request manipulation with the x-zitadel-forward-host header. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.1
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5
Restart Required: Yes
Instructions:
1. Backup your ZITADEL configuration and database. 2. Update to ZITADEL version 4.7.1 or later. 3. Restart the ZITADEL service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock or sanitize the x-zitadel-forward-host header at the network perimeter.
Depends on specific WAF platform - create rule to block requests containing x-zitadel-forward-host header
Reverse Proxy Header Filtering
linuxConfigure reverse proxy (nginx, Apache, etc.) to strip the malicious header.
nginx: add 'proxy_set_header X-ZITADEL-Forward-Host "";' to location block
Apache: RequestHeader unset X-ZITADEL-Forward-Host
🧯 If You Can't Patch
- Implement network segmentation to restrict ZITADEL's outbound HTTP connections to only necessary services.
- Deploy a WAF or reverse proxy that strips the x-zitadel-forward-host header before it reaches ZITADEL.
🔍 How to Verify
Check if Vulnerable:
Check if ZITADEL version is 4.7.0 or earlier. Send HTTP request to login endpoint with x-zitadel-forward-host header pointing to a controlled server and check for callback.Check Version:
zitadel version (CLI) or check ZITADEL admin interface version informationVerify Fix Applied:
After updating to 4.7.1+, attempt the same SSRF test - requests with x-zitadel-forward-host should be rejected or ignored.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from ZITADEL to internal IP ranges
- HTTP requests containing x-zitadel-forward-host header in access logs
- Failed authentication attempts followed by SSRF-like requests
Network Indicators:
- HTTP traffic from ZITADEL server to unexpected internal destinations
- Requests to cloud metadata endpoints (169.254.169.254, etc.) from ZITADEL
SIEM Query:
source="zitadel" AND (http_header="x-zitadel-forward-host" OR dest_ip IN (RFC1918_RANGES, CLOUD_METADATA_IPS))