8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46815

GHSA ID

GHSA-g4r8-mp7g-85fq

EPSS Score

0.21535%

CWE

CWE-294

Published

5/6/2025

Updated

5/6/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46815

CVE-2025-46815: ZITADEL Allows IdP Intent Token Reuse

Impact

ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents.

Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session.

However, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user.

It’s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API.

Patches

3.x versions are fixed on >=3.0.0 2.71.x versions are fixed on >=2.71.9 2.x versions are fixed on >=2.70.10

Workarounds

The recommended solution is to update ZITADEL to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Józef Chraplewski from Nedap for reporting this vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-46815

CVE-2025-46815:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46815

GHSA ID

GHSA-g4r8-mp7g-85fq

EPSS Score

0.21535%

CWE

CWE-294

Published

5/6/2025

Updated

5/6/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	>= 3.0.0-rc.1, <= 3.0.0-rc.3	3.0.0
github.com/zitadel/zitadel	go	< 2.70.10	2.70.10
github.com/zitadel/zitadel

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allowed the reuse of IdP intent tokens. This was possible because the mechanisms for processing these tokens during session authentication (SetSession, CreateSession) did not adequately check if a token had already been consumed or if it had expired. Additionally, the endpoint for retrieving intent details (RetrieveIdentityProviderIntent) did not check for token expiry. The patch addressed these issues by:

Introducing an expiration lifetime for IdP intents (maxIdPIntentLifetime) and checking this expiry in internal/command/session.go (within the logic called by SetSession/CreateSession) and directly in RetrieveIdentityProviderIntent.
Adding a 'consumed' state for IdP intents (domain.IDPIntentStateConsumed and idpintent.ConsumedEvent), ensuring that an intent token, once used, cannot be used again. This check is implicitly part of the cmd.intentWriteModel.State != domain.IDPIntentStateSucceeded check after the model reduction in internal/command/session.go. The identified vulnerable functions are the gRPC API endpoints that an attacker would interact with to exploit this flaw. While the core logic changes are in the internal/command layer, these gRPC methods were the entry points that exposed the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46815: ZITADEL Allows IdP Intent Token Reuse

Impact

Patches

Workarounds

Questions

Credits

CVE-2025-46815:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-46815: ZITADEL Allows IdP Intent Token Reuse

Impact

Patches

Workarounds

Questions

Credits

8

8

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI