CVE-2023-49097

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 2.39.9 ZITADEL versions prior to 2.40.10 ZITADEL versions prior to 2.41.6

Description ZITADEL is an identity infrastructure system that uses the Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the user's password and take over their account. Accounts with MFA or Passwordless enabled cannot be taken over by this attack.

Recommendations For versions prior to 2.39.9, update to version 2.39.9 or later. For versions prior to 2.40.10, update to version 2.40.10 or later. For versions prior to 2.41.6, update to version 2.41.6 or later. As a temporary workaround, consider configuring a ZITADEL fronting proxy to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.