CVE-2025-67495
📋 TL;DR
ZITADEL versions 4.0.0-rc.1 through 4.7.0 have a DOM-based XSS vulnerability in the logout endpoint. Unauthenticated attackers can execute malicious JavaScript in users' browsers by exploiting the post_logout_redirect parameter. This affects all ZITADEL deployments with multiple active user sessions in the same browser.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Account takeover through session hijacking, credential theft, and complete compromise of user accounts if MFA/passwordless authentication is not enabled.
Likely Case
Session hijacking leading to unauthorized access to user accounts and potential data exposure.
If Mitigated
Limited impact with successful MFA or passwordless authentication preventing account takeover, though session data may still be exposed.
🎯 Exploit Status
Exploitation requires crafting malicious logout URLs and user interaction with multiple active sessions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.1
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p
Restart Required: Yes
Instructions:
1. Backup current ZITADEL configuration and data. 2. Update ZITADEL to version 4.7.1 or later. 3. Restart ZITADEL services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable logout redirect functionality
allTemporarily disable or restrict the post_logout_redirect parameter handling in the logout endpoint.
Modify ZITADEL configuration to remove or sanitize post_logout_redirect parameter processing
Implement Content Security Policy (CSP)
allAdd strict CSP headers to prevent execution of injected scripts.
Add 'Content-Security-Policy' header with script-src directives restricting inline scripts
🧯 If You Can't Patch
- Enforce MFA or passwordless authentication for all users to prevent account takeover
- Implement WAF rules to block malicious logout URLs containing JavaScript payloads
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version and test logout endpoint with crafted post_logout_redirect parameter containing JavaScript payload.Check Version:
zitadel versionVerify Fix Applied:
Verify ZITADEL version is 4.7.1 or later and test that logout endpoint properly sanitizes redirect parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual logout requests with encoded JavaScript in parameters
- Multiple logout attempts from same IP with suspicious redirect URLs
Network Indicators:
- HTTP requests to /logout endpoint with JavaScript payloads in query parameters
- Unusual redirect patterns after logout
SIEM Query:
source="zitadel" AND (url_path="/logout" AND query_parameters CONTAINS "javascript:" OR query_parameters CONTAINS "<script>")