CVE-2025-64101
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-10-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64101
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 2.71.18 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.3 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Zitadel's password reset mechanism where the software uses the Forwarded or X-Forwarded-Host header from incoming requests to build the password reset confirmation link URL. An attacker can manipulate these headers to make Zitadel generate a reset link pointing to a malicious domain controlled by the attacker. If a user clicks this malicious link, the secret reset code in the URL can be captured by the attacker, allowing them to reset the user's password and gain unauthorized access to the account. This attack is mitigated if the account has Multi-Factor Authentication (MFA) or Passwordless authentication enabled. The vulnerability is fixed in versions 4.6.0, 3.4.3, and 2.71.18.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to reset your password by capturing the secret reset code through a manipulated password reset link. This leads to unauthorized access to your account, potentially compromising your personal data and any services linked to that account. However, if you have MFA or Passwordless authentication enabled, this attack vector is mitigated.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade Zitadel to version 4.6.0, 3.4.3, or 2.71.18 or later. Additionally, enable Multi-Factor Authentication (MFA) or Passwordless authentication for user accounts, as these measures mitigate the attack vector involving manipulated password reset links.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart