CVE-2025-67495

ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96	Patch
https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

History

19 Dec 2025, 18:30

Type	Values Removed	Values Added
References	~~() https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 -~~	() https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 - Patch
References	~~() https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p -~~	() https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p - Vendor Advisory
CPE		cpe:2.3:a:zitadel:zitadel::::::::
First Time		Zitadel Zitadel zitadel

09 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-09 23:15

Updated : 2025-12-19 18:30

NVD link : CVE-2025-67495

Mitre link : CVE-2025-67495

CVE.ORG link : CVE-2025-67495

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-67495", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-12-09T23:15:59.933", "references": [{"url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users\u2019 browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1."}], "lastModified": "2025-12-19T18:30:55.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1B051D6-969F-4B70-BF3F-AFD77FB00251", "versionEndExcluding": "4.7.1", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}