CVE-2025-67494

CRITICAL LAB

ZITADEL < 4.7.1 - Unauthenticated Server-Side Request Forgery via x-zitadel-forward-host Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67494. PoCs published by Chocapikk.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-67494, an unauthenticated SSRF vulnerability in ZITADEL. The exploit automates the process of leaking Bearer tokens via SSRF and querying the ZITADEL Management API.

Description

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.

Exploits (1)

nomisec WORKING POC 5 stars

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2025-67494

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-67494, an unauthenticated SSRF vulnerability in ZITADEL. The exploit automates the process of leaking Bearer tokens via SSRF and querying the ZITADEL Management API.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: ZITADEL v4.0.0-rc.1 through 4.7.0

No auth needed

Prerequisites: Access to ZITADEL Login UI · Python 3.8+ · requests and pwntools libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5

Patch x_refsource_misc

https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96

View Patch ZIP pw:eip

Scores

CVSS v3 9.3

EPSS 0.0004

EPSS Percentile 11.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull ghcr.io/zitadel/zitadel:v4.7.0

docker pull ghcr.io/zitadel/zitadel-login:v4.7.0

https://github.com/Chocapikk/CVE-2025-67494

https://github.com/zitadel/zitadel

View in Library

Details

CWE

CWE-918

Status published

Products (2)

zitadel/zitadel 0 - 1.80.0-v2.20.0.20251208091519-4c879b47334e (2 CPE variants)Go

zitadel/zitadel 4.0.0 - 4.7.1

Published Dec 09, 2025

Tracked Since Feb 18, 2026