CVE-2025-53895
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | From 2.53.0 (inc) to 2.70.14 (exc) |
| zitadel | zitadel | From 2.71.0 (inc) to 2.71.13 (exc) |
| zitadel | zitadel | From 3.0.0 (inc) to 3.3.1 (exc) |
| zitadel | zitadel | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53895 is a vulnerability in ZITADEL's session management API where any authenticated user who knows a session ID can update that session due to a missing permission check. This flaw allows session hijacking, enabling an attacker to impersonate another user and access sensitive resources by obtaining a new session token without proper authorization. The issue arises because starting from version 2.53.0, the system removed the requirement to provide the latest session token for session updates, which inadvertently introduced this security gap. [5]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges (any authenticated user) to hijack sessions and impersonate other users, bypassing full authentication including multi-factor authentication (MFA). This leads to unauthorized access to sensitive resources and compromises the confidentiality, integrity, and availability of the system. The attacker can remotely exploit this vulnerability with low complexity and no user interaction, making it a significant security risk. [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can monitor session events in the event store database by creating materialized views that track session updates. This allows identification of unauthorized session updates by users who lack the proper IAM_LOGIN_CLIENT role. Specific queries can be used to detect compromised sessions and offending users, enabling auditing and permission adjustments. The advisory recommends focusing on session update events to find any unauthorized modifications. [5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Zitadel to a patched version: 4.0.0-rc.2 or later for 4.x, 3.3.2 or later for 3.x, and 2.70.14 or 2.71.13 or later for 2.x. Before upgrading, verify and restrict user roles and permissions to ensure only authorized users have session management capabilities, specifically by granting the IAM_LOGIN_CLIENT role appropriately. Additionally, monitor session events to detect unauthorized session updates and adjust permissions accordingly. [2, 4, 1, 5, 3]