8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67495

CVE-2025-67495: ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

Summary

A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a post_logout_redirect. When this parameter is specified, users will be redirected to the site that is provided via this parameter. ZITADEL's login UI did not ensure that this parameter contained an allowed value and even executed passed scripts.

Impact

Zitadel is vulnerable to a DOM-Based XSS vulnerability. More specifically, the /logout endpoint insecurely routed to value that is supplied in the post_logout_redirect GET parameter. As a result, malicious JS code could be executed on Zitadel users’ browsers, in the Zitadel V2 Login domain.

An unauthenticated remote attacker can exploit this DOM-based XSS vulnerability, and thus, execute malicious JavaScript code on behalf of Zitadel users. By doing so, such an attacker could reset the password of their victims, and take over their accounts.

Note that for this to work, multiple user sessions need to be active in the same browser. Additionally, it's important to note that an account takeover is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Affected Versions

Systems using the login UI (v2) and running one of the following versions are affected:

v4.x: 4.0.0-rc.1 through 4.7.0

Patches

The vulnerability has been addressed in the latest release. The patch resolves the issue by ensuring the information was passed for the ZITADEL API using a JSON Web Token (JWT). If you're running your own login UI, we recommend switching over to the new logout_token parameter, which contains all information previously passed via specific query parameters. The contained JWT's signature needs to be verified with the instance OAuth2/OIDC public keys (jwks_uri).

Before you upgrade, ensure that:

the ZITADEL_API_URL is set and is pointing to your instance, resp. system in multi-instance deployments.
the HTTP host (or a x-forwarded-host) is passed in your reverse proxy to the login UI.
a x-zitadel-instance-host (or x-zitadel-forward-host) is set in your reverse for multi-instance deployments. If you're running a single instance solution, you don't need to take any actions.

Patched versions:

4.x: Upgrade to >=4.7.1

Workarounds

The recommended solution is to update ZITADEL to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67495

CVE-2025-67495:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	< 1.80.0-v2.20.0.20251208091519-4c879b47334e	1.80.0-v2.20.0.20251208091519-4c879b47334e
github.com/zitadel/zitadel	go	>= 1.83.4, <= 1.87.5
github.com/zitadel/zitadel	go	>= 4.0.0-rc.1, < 4.7.1	4.7.1
github.com/zitadel/zitadel/v2	go	< 1.80.0-v2.20.0.20251208091519-4c879b47334e	1.80.0-v2.20.0.20251208091519-4c879b47334e

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in the logout functionality of ZITADEL's V2 login interface. The root cause lies in the apps/login/src/app/(login)/logout/page.tsx file, where the Page component directly used the post_logout_redirect and post_logout_redirect_uri GET parameters from the URL to redirect the user after logout. There was no validation or sanitization of this user-provided input, allowing an attacker to inject a javascript: URI. This would lead to the execution of arbitrary JavaScript in the user's browser within the security context of the ZITADEL login domain, enabling session manipulation and potential account takeover.

The patch addresses this by fundamentally changing how logout parameters are handled. Instead of passing them directly in the URL, the backend, specifically in internal/api/oidc/auth_request.go, now generates a signed JSON Web Token (JWT) called logout_token. This token securely encapsulates the post_logout_redirect_uri and other logout-related data. The frontend Page component was modified to stop reading the insecure parameters directly. It now expects the logout_token, verifies its signature using the newly introduced verifyJwt function, and only then extracts and uses the redirect URI from the trusted token payload. This ensures the integrity and authenticity of the logout parameters, effectively mitigating the XSS vulnerability.

Vulnerable functions

Page

apps/login/src/app/(login)/logout/page.tsx

The `Page` function in `apps/login/src/app/(login)/logout/page.tsx` was vulnerable to DOM-based XSS. It directly consumed the `post_logout_redirect` or `post_logout_redirect_uri` query parameters from the URL without validation. An attacker could craft a URL with a malicious `javascript:` payload in this parameter. When a user visited this URL, the script would execute in the context of the ZITADEL login page, allowing the attacker to perform actions on behalf of the user, potentially leading to account takeover.

buildLoginV2LogoutURL

internal/api/oidc/auth_request.go

The `buildLoginV2LogoutURL` function was responsible for constructing the logout URL. Before the patch, it directly embedded the `post_logout_redirect` URI into the URL parameters. This function contributed to the vulnerability by creating the URL that the vulnerable frontend would then process. The patch changes this function to create a signed JWT (`logout_token`) containing the logout parameters, preventing tampering.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67495: ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

CVE-2025-67495:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8

8

CVE-2025-67495: ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI