CVE-2025-53895

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 4.0.0-rc.2 ZITADEL versions prior to 3.3.2 ZITADEL versions prior to 2.71.13 ZITADEL versions prior to 2.70.14 ZITADEL versions 2.53.0 through 3.3.1

Description ZITADEL’s session management API has a flaw where an authenticated user can update a session knowing only its ID, due to a missing permission check. This enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources.

Recommendations Update ZITADEL to version 4.0.0-rc.2 or later. Update ZITADEL to version 3.3.2 or later. Update ZITADEL to version 2.71.13 or later. Update ZITADEL to version 2.70.14 or later.

Exploit

Fix

Incorrect Authorization

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-384

Related Identifiers

CVE-2025-53895

GHSA-6C5P-6WWW-PCMR

Affected Products

Zitadel

CVE-2025-53895

Weakness Enumeration

Related Identifiers

Affected Products

References · 9