CVE-2025-67495: ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

December 8, 2025 (updated December 10, 2025)

A potential vulnerability exists in ZITADEL’s logout endpoint in login V2. This endpoint accepts serval parameters including a post_logout_redirect. When this parameter is specified, users will be redirected to the site that is provided via this parameter. ZITADEL’s login UI did not ensure that this parameter contained an allowed value and even executed passed scripts.

References

github.com/advisories/GHSA-v959-qxv6-6f8p
github.com/zitadel/zitadel
github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96
github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p
nvd.nist.gov/vuln/detail/CVE-2025-67495

Code Behaviors & Features

Detect and mitigate CVE-2025-67495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →