CVE-2025-46815 (GCVE-0-2025-46815)
Vulnerability from cvelistv5
Published
2025-05-06 17:13
Modified
2025-05-06 18:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-46815", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-06T18:20:59.907100Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-06T18:21:14.384Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "zitadel", "vendor": "zitadel", "versions": [ { "status": "affected", "version": "\u003e= 3.0.0-rc.1, \u003c 3.0.0" }, { "status": "affected", "version": "\u003c 2.70.10" }, { "status": "affected", "version": "\u003e= 2.71.0, \u003c 2.71.9" } ] } ], "descriptions": [ { "lang": "en", "value": "The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-294", "description": "CWE-294: Authentication Bypass by Capture-replay", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-384", "description": "CWE-384: Session Fixation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-06T17:13:53.878Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq" }, { "name": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162" }, { "name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10" }, { "name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9" }, { "name": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0" } ], "source": { "advisory": "GHSA-g4r8-mp7g-85fq", "discovery": "UNKNOWN" }, "title": "ZITADEL Allows IdP Intent Token Reuse" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-46815", "datePublished": "2025-05-06T17:13:53.878Z", "dateReserved": "2025-04-30T19:41:58.133Z", "dateUpdated": "2025-05-06T18:21:14.384Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-46815\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-06T18:15:38.697\",\"lastModified\":\"2025-05-07T14:13:20.483\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.\"},{\"lang\":\"es\",\"value\":\"El software de infraestructura de identidad ZITADEL ofrece a los desarrolladores la posibilidad de gestionar sesiones de usuario mediante la API de sesi\u00f3n. Esta API permite el uso de proveedores de identidad (IdP) para la autenticaci\u00f3n, conocidos como intentos de IdP. Tras un intento de IdP exitoso, el cliente recibe un ID y un token en una URI predefinida. Estos ID y token pueden utilizarse para autenticar al usuario o su sesi\u00f3n. Sin embargo, antes de las versiones 3.0.0, 2.71.9 y 2.70.10, era posible explotar esta funci\u00f3n mediante el uso repetido de intentos. Esto permit\u00eda a un atacante con acceso a la URI de la aplicaci\u00f3n recuperar el ID y el token, lo que le permit\u00eda autenticarse en nombre del usuario. Es importante tener en cuenta que el uso de factores adicionales (MFA) impide un proceso de autenticaci\u00f3n completo y, en consecuencia, el acceso a la API de ZITADEL. Las versiones 3.0.0, 2.71.9 y 2.70.10 contienen una soluci\u00f3n para este problema. No se conocen workarounds aparte de la actualizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"},{\"lang\":\"en\",\"value\":\"CWE-384\"},{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"references\":[{\"url\":\"https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v2.70.10\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v2.71.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v3.0.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq\",\"source\":\"security-advisories@github.com\"}]}}", "vulnrichment": { "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46815\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T18:20:59.907100Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T18:21:04.279Z\"}}], \"cna\": {\"title\": \"ZITADEL Allows IdP Intent Token Reuse\", \"source\": {\"advisory\": \"GHSA-g4r8-mp7g-85fq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"zitadel\", \"product\": \"zitadel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-rc.1, \u003c 3.0.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.70.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.71.0, \u003c 2.71.9\"}]}], \"references\": [{\"url\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq\", \"name\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162\", \"name\": \"https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zitadel/zitadel/releases/tag/v2.70.10\", \"name\": \"https://github.com/zitadel/zitadel/releases/tag/v2.70.10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zitadel/zitadel/releases/tag/v2.71.9\", \"name\": \"https://github.com/zitadel/zitadel/releases/tag/v2.71.9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zitadel/zitadel/releases/tag/v3.0.0\", \"name\": \"https://github.com/zitadel/zitadel/releases/tag/v3.0.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613: Insufficient Session Expiration\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-294\", \"description\": \"CWE-294: Authentication Bypass by Capture-replay\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-384\", \"description\": \"CWE-384: Session Fixation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-06T17:13:53.878Z\"}}}", "cveMetadata": "{\"cveId\": \"CVE-2025-46815\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-06T18:21:14.384Z\", \"dateReserved\": \"2025-04-30T19:41:58.133Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-06T17:13:53.878Z\", \"assignerShortName\": \"GitHub_M\"}", "dataType": "CVE_RECORD", "dataVersion": "5.1" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…