CVE-2025-64101

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 4.6.0 Zitadel versions prior to 3.4.3 Zitadel versions prior to 2.71.18

Description Zitadel's password reset mechanism is susceptible to manipulation through the Forwarded or X-Forwarded-Host headers in incoming requests. The system uses these headers to build the URL for the password reset confirmation link. An attacker can exploit this by injecting a malicious domain into these headers, causing the generated link to point to a site under their control. If a user clicks this manipulated link, the attacker can capture the secret reset code and use it to gain unauthorized access to the user's account. This issue does not affect accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Recommendations Update to Zitadel version 4.6.0 or later. Update to Zitadel version 3.4.3 or later. Update to Zitadel version 2.71.18 or later.