CNNVD-202510-3960 Information
CNNVD ID
CNNVD-202510-3960
Related CVE
- CNNVD Published: 2025-10-29
Description (Chinese)
ZITADEL是瑞士ZITADEL开源的一个 Auth0、Firebase Auth、AWS Cognito 以及为容器和无服务器时代构建的 Keycloak 的现代开源替代方案。 ZITADEL 4.6.0之前版本、3.4.3之前版本和2.71.18之前版本存在授权问题漏洞,该漏洞源于密码重置机制使用可操纵的Forwarded或X-Forwarded-Host标头构造URL,可能导致未授权账户访问。
Description (English)
ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito and Keycloak built in the age of packagings and servers. ZITADEL before 4.6.0, before 3.4.3 and before 2.71.18 have a mandate gap, which stems from the fact that the password-replacement mechanism constructs the URL using a manageable Forwarded or X-Forwarded-Host header, which may lead to unauthorized access to the account.
Hazard Level
Medium
Vulnerability Type
授权问题
Affected Vendor
ZITADEL
Published
2025-10-29
Last Modified
2026-02-24
References
https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1 https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23 https://access.redhat.com/security/cve/cve-2025-64101
Patch
https://github.com/zitadel/zitadel/releases
Share on: