CVE-2025-67494 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-67494 PUBLISHED CVSS 9.300000190734863 CRITICAL

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.

EPSS 0.03% · 9.2th percentile

Risk Scores

CVSS v3.1

9.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score

0.03%

9.2th percentile

Affected Products

Vendor	Product	Versions
zitadel	zitadel	4.0.0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4, <= 1.87.5
github.com	zitadel/zitadel/v2	0
github.com	zitadel/zitadel	0, 1.83.4, 4.0.0-rc.1

Timeline

Dec 8, 2025 CVE Published
Dec 10, 2025 EPSS Score
Dec 10, 2025 PoC Published
Dec 14, 2025 EPSS Score
Dec 15, 2025 CVE Updated
Dec 17, 2025 EPSS Score
Dec 21, 2025 EPSS Score
Dec 24, 2025 EPSS Score
Dec 28, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 4, 2026 EPSS Score
Jan 8, 2026 EPSS Score

References

Open in Interactive Console →