CVE-2025-31123

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.63.9 Zitadel versions prior to 2.64.6 Zitadel versions prior to 2.65.7 Zitadel versions prior to 2.66.16 Zitadel versions prior to 2.67.13 Zitadel versions prior to 2.68.9 Zitadel versions prior to 2.69.9 Zitadel versions prior to 2.70.8 Zitadel versions prior to 2.71.6

Description A vulnerability existed in Zitadel where expired keys can be used to retrieve tokens. Specifically, Zitadel fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This issue does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints.

Recommendations Update to version 2.63.9 or later. Update to version 2.64.6 or later. Update to version 2.65.7 or later. Update to version 2.66.16 or later. Update to version 2.67.13 or later. Update to version 2.68.9 or later. Update to version 2.69.9 or later. Update to version 2.70.8 or later. Update to version 2.71.6 or later.