8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48936

CVE-2025-48936: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection

Impact

A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.

If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Patches

Patched version ensure proper validation of the headers and do not allow downgrading from https to http.

3.x versions are fixed on >=3.2.2 2.71.x versions are fixed on >=2.71.11 2.x versions are fixed on >=2.70.12

Workarounds

The recommended solution is to update ZITADEL to a patched version.

A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48936

CVE-2025-48936:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	< 0.0.0-20250528081227-c097887bc5f6	0.0.0-20250528081227-c097887bc5f6
github.com/zitadel/zitadel/v2	go	>= 2.38.3, < 2.70.12	2.70.12
github.com/zitadel/zitadel/v2	go	>= 3.0.0-rc1, < 3.2.2	3.2.2
github.com/zitadel/zitadel/v2	go	>= 2.71.0, <= 2.71.10	2.71.11
github.com/zitadel/zitadel/v2	go	< 2.38.2-0.20240919104753-94d1eb767837

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-48936) in ZITADEL allowed account takeover via malicious X-Forwarded-Proto or Forwarded header injection. ZITADEL used these headers to construct the URL for password reset confirmation links. An attacker could manipulate these headers to make the generated link point to a malicious domain.

The root cause of the vulnerability lies in two key functions within internal/api/http/middleware/origin_interceptor.go:

hostFromRequest: This function was responsible for parsing headers like Forwarded and X-Forwarded-Proto to extract the protocol. Critically, it did not validate the extracted protocol string (e.g., ensuring it was only 'http' or 'https'). This meant an attacker-controlled, unvalidated protocol string could be passed on for further processing.
composeDomainContext: This function used the (potentially unvalidated) protocol from hostFromRequest to determine the final protocol for the password reset URL. Its logic for deciding this protocol was insufficient. It could be manipulated to use an 'http' scheme when 'https' was appropriate (protocol downgrade) or use an attacker-controlled scheme derived from the manipulated headers. This allowed the construction of a password reset link pointing to an attacker's server, enabling them to capture the password reset token if the user clicked the link.

The patch addresses these issues by:

Adding validation in hostFromRequest to ensure that only 'http' or 'https' are accepted as protocol strings from headers.
Introducing a new enforceHttps flag and a helper function protocolFromRequest within composeDomainContext to implement stricter logic for determining the protocol, preventing downgrades and prioritizing secure configurations.

During exploitation, these two functions would be involved in processing the malicious headers and constructing the manipulated URL. Therefore, their names would likely appear in runtime profiles or stack traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48936: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection

Impact

Patches

Workarounds

Questions

Credits

CVE-2025-48936:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

8.1

8.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48936: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection

Impact

Patches

Workarounds

Questions

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI