CVE-2025-67494 identifies a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability affecting ZITADEL, an open-source identity and access management solution. Exploitation occurs via the V2 Login interface, allowing an unauthenticated attacker to coerce the ZITADEL server into making arbitrary requests to internal or external resources and disclosing the full response content. This enables potential access to sensitive internal network resources, bypassing security controls, and unauthorized information disclosure, posing a severe risk to confidentiality and potentially system integrity within affected environments.

Technical Details#

  • CVE ID: CVE-2025-67494
  • Published: 2025-12-10 11:09 UTC
  • Product: Unknown
  • Risk Score: 5.3/10
  • Severity: CRITICAL
  • Original Source: View on Google_OSV

Remediation#

Immediate Action: Upgrade ZITADEL to the patched version addressing CVE-2025-67494 as soon as it becomes available. Monitor official ZITADEL security advisories, release notes, and community channels for specific patch versions and upgrade instructions.

Mitigation (if patch not immediately available):

  1. Network Egress Filtering: Implement strict firewall rules to restrict outbound connections from ZITADEL instances. Allow only explicitly necessary connections to trusted external services. Prevent ZITADEL from initiating connections to internal network segments or sensitive internal resources.
  2. Monitoring and Logging: Enhance logging for ZITADEL instances, specifically focusing on the V2 Login endpoint and all outbound network requests. Monitor for unusual connection attempts, unexpected destinations, or large data transfers originating from the ZITADEL server.
  3. Network Segmentation: Isolate ZITADEL instances within a highly restricted network segment, minimizing their access to other critical internal systems.

Disclaimer: This summary was generated by an Artificial Intelligence system and has not been verified by a human expert. Use at your own risk.

📢 Share this Alert#