8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64101

GHSA ID

GHSA-mwmh-7px9-4c23

EPSS Score

CWE

CWE-601

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64101

CVE-2025-64101: ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection

Impact

A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.

If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Affected Versions

Systems running one of the following versions:

4.x: 4.0.0 to 4.5.0 (including RC versions)
3.x: 3.0.0 to 3.4.2 (including RC versions)
2.x: v2.0.0 to 2.71.17

Patches

Patched version ensure proper validation of the headers:

4.x: Upgrade to >=4.6.0 3.x: Update to >=3.4.3 2.x: Update to >=2.71.18

Workarounds

The recommended solution is to update ZITADEL to a patched version.

A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64101

CVE-2025-64101:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64101

GHSA ID

GHSA-mwmh-7px9-4c23

EPSS Score

CWE

CWE-601

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel/v2	go	< 2.71.18	2.71.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the improper handling of HTTP host headers, specifically the Forwarded and X-Forwarded-Host headers. The application used these headers to construct URLs, including for password resets. An attacker could inject a malicious value into these headers (e.g., example.com:@attacker.com) to craft a password reset link that points to an attacker-controlled domain.

The root cause is twofold: first, the lack of input sanitization when reading the header values, and second, the use of unsafe string splitting (strings.Split(host, ":")) to parse the domain from the host. The primary vulnerable function is hostFromRequest in internal/api/http/middleware/origin_interceptor.go, which reads the header value without validation. The patch introduces a sanitizeHost function that uses net.SplitHostPort for robust parsing and validation, preventing the injection.

Other functions like Queries.InstanceByHost and DomainCtx.RequestedDomain were also identified as vulnerable because they contained the same flawed strings.Split parsing logic, making them susceptible to the same type of manipulation. The fix involved removing this logic and relying on correctly parsed and sanitized host information.

Vulnerable functions

hostFromRequest

internal/api/http/middleware/origin_interceptor.go

This function reads the host from HTTP headers (like X-Forwarded-Host). Before the patch, it directly used the header value without sanitization. An attacker could provide a malicious value like 'localhost:@attacker.com' to cause an open redirect. The patch introduces the 'sanitizeHost' function to validate the host header.

Queries.InstanceByHost

internal/query/instance.go

This method was responsible for finding an instance by its host. It used `strings.Split` to extract the domain from the host string, which is not a safe way to parse hostnames and can be bypassed by a malicious host header. The function signature was changed to expect a pre-parsed domain, removing the vulnerable parsing logic.

DomainCtx.RequestedDomain

internal/api/http/request_context.go

This method, used to get the domain part of a host, incorrectly used `strings.Split` for parsing. This could be exploited by a malicious host header. The patch replaces this with a more robust implementation using `net.SplitHostPort` via the new `hostnameFromHost` function.

WebAuthNsToCredentials

internal/webauthn/converter.go

This function also contained the flawed logic of using `strings.Split` to parse the host from the context's `InstanceHost`. This is another instance of the same parsing vulnerability found in other parts of the codebase, which could be exploited by a malicious host header.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64101: ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

CVE-2025-64101:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

8.1

8.1

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64101: ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI