CVE-2025-67494

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.7.0 and below

Description ZITADEL is an open-source identity infrastructure tool susceptible to an unauthenticated, full-read Server-Side Request Forgery (SSRF) issue. The ZITADEL Login UI (V2) incorrectly trusts the x-zitadel-forward-host header, allowing an unauthenticated attacker to compel the server to make HTTP requests to arbitrary domains. This can lead to data exfiltration and circumvention of network-segmentation controls. The issue enables network pivoting by allowing attackers to map internal infrastructure.

Recommendations Update to version 4.7.1 or later.