CVE-2025-67494: ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login

December 8, 2025 (updated December 10, 2025)

Zitadel is vulnerable to an unauthenticated, full-read SSRF vulnerability. An unauthenticated remote attacker can force Zitadel into making HTTP requests to arbitrary domains, including internal addresses. The server then returns the upstream response to the attacker, enabling data exfiltration from internal services.

References

github.com/advisories/GHSA-7wfc-4796-gmg5
github.com/zitadel/zitadel
github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96
github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5
nvd.nist.gov/vuln/detail/CVE-2025-67494

Code Behaviors & Features

Detect and mitigate CVE-2025-67494 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →