x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

GoVulnBot · 2025-05-06T19:01:30Z

Advisory CVE-2025-46815 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them ...

References:

Cross references:

github.com/zitadel/zitadel appears in 21 other report(s):
- data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
- data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
- data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
- data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
- data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
- data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
- data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
- data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
- data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
- data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
- data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
- data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
- data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
- data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
- data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
- data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
- data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)
- data/reports/GO-2025-3499.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
summary: CVE-2025-46815 in github.com/zitadel/zitadel
cves:
    - CVE-2025-46815
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46815
    - fix: https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.70.10
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.71.9
    - web: https://github.com/zitadel/zitadel/releases/tag/v3.0.0
    - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq
source:
    id: CVE-2025-46815
    created: 2025-05-06T19:01:29.389424351Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-05-15T19:42:13Z

Change https://go.dev/cl/673317 mentions this issue: data/reports: add 12 reports

GoVulnBot added NeedsTriage cve-year-2025 labels May 6, 2025

thatnealpatel mentioned this issue May 13, 2025

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-g4r8-mp7g-85fq #3668

Closed

thatnealpatel added triaged and removed NeedsTriage labels May 13, 2025

thatnealpatel self-assigned this May 15, 2025

gopherbot closed this as completed in d134167 May 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

GoVulnBot commented May 6, 2025

gopherbot commented May 15, 2025

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

Comments

GoVulnBot commented May 6, 2025

gopherbot commented May 15, 2025