8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pfrf-9r5f-73f5

GHSA-pfrf-9r5f-73f5: ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login

Summary

A potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.

Impact

If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Affected Versions

Systems using the login UI (v2) and running one of the following versions are affected:

v4.x: 4.0.0-rc.1 through 4.7.0

Patches

The vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the X-Forwarded-Host and Forwarded headers against the instance custom and trusted domains.

Before you upgrade, ensure that:

the ZITADEL_API_URL is set and is pointing to your instance, resp. system in multi-instance deployments.
the HTTP host (or a x-forwarded-host) is passed in your reverse proxy to the login UI.
a x-zitadel-instance-host (or x-zitadel-forward-host) is set in your reverse for multi-instance deployments. If you're running a single instance solution, you don't need to take any actions.

Patched versions:

4.x: Upgrade to >=4.7.1

Workarounds

The recommended solution is to update ZITADEL to a patched version.

A ZITADEL fronting proxy can be configured to delete all forwarded header values or set it to the requested host before sending requests to ZITADEL self-hosted environments.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-pfrf-9r5f-73f5

GHSA-pfrf-9r5f-73f5:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	< 1.80.0-v2.20.0.20251208091519-4c879b47334e	1.80.0-v2.20.0.20251208091519-4c879b47334e
github.com/zitadel/zitadel	go	>= 1.83.4, <= 1.87.5
github.com/zitadel/zitadel	go	>= 4.0.0-rc.1, < 4.7.1	4.7.1
github.com/zitadel/zitadel/v2	go	< 1.80.0-v2.20.0.20251208091519-4c879b47334e	1.80.0-v2.20.0.20251208091519-4c879b47334e

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic host header injection in the password reset functionality. The root cause lies in the apps/login/src/lib/server/host.ts file, where the getOriginalHost function blindly trusted the x-forwarded-host header provided by the user. This allowed an attacker to control the domain used in the password reset link.

The resetPassword function in apps/login/src/lib/server/password.ts used the value from the vulnerable getOriginalHost function to construct the password reset URL that was then emailed to the user. By injecting a malicious domain into the x-forwarded-host header, an attacker could cause the password reset link to be sent to a server they control. When the victim clicks the link, the attacker captures the secret password reset token from the URL, allowing them to reset the password and take over the account.

The patch addresses this by introducing a more robust way of handling host headers. It distinguishes between the public-facing host (publicHost) and the internal instance host (instanceHost). The getServiceConfig function and the new getPublicHost and getInstanceHost functions in apps/login/src/lib/server/host.ts are part of the fix. The backend is now expected to validate the provided host against a list of trusted domains. A similar vulnerability was also fixed in the logout process in buildLoginV2LogoutURL by using a signed JWT to protect the logout redirect URL.

Vulnerable functions

resetPassword

apps/login/src/lib/server/password.ts

This function constructs the password reset URL. Before the patch, it used `getOriginalHostWithProtocol` which read the `x-forwarded-host` header without validation. An attacker could provide a malicious host, causing the password reset link to be sent to a domain they control, allowing them to capture the reset token and take over the account.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-pfrf-9r5f-73f5: ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

GHSA-pfrf-9r5f-73f5:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

8.1

8.1

GHSA-pfrf-9r5f-73f5: ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

Credits

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI