CVE-2025-67495

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0-rc.1 through 4.7.0

Description ZITADEL, an open-source identity infrastructure tool, is susceptible to a DOM-Based Cross-Site Scripting (XSS) issue through the Zitadel V2 logout endpoint. The /logout API endpoint insecurely routes to a value supplied in the post logout redirect GET parameter. This allows an unauthenticated remote attacker to execute malicious JavaScript code in the browsers of ZITADEL users. The issue requires multiple active user sessions in the same browser to be exploited. Account takeover is mitigated when Multi-Factor Authentication (MFA) or Passwordless authentication is enabled.

Recommendations Versions prior to 4.7.1 should be updated.