CVE-2025-64717: ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
A vulnerability in ZITADEL’s federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication.
References
- github.com/advisories/GHSA-j4g7-v4m4-77px
- github.com/zitadel/zitadel
- github.com/zitadel/zitadel/commit/33c51deb20402dd5720e32cfb0c1d5fdc752f2e0
- github.com/zitadel/zitadel/releases/tag/v2.71.19
- github.com/zitadel/zitadel/releases/tag/v3.4.4
- github.com/zitadel/zitadel/releases/tag/v4.6.6
- github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px
- nvd.nist.gov/vuln/detail/CVE-2025-64717
Code Behaviors & Features
Detect and mitigate CVE-2025-64717 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →