x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-93m4-mfpg-c3xf

[GoVulnBot]

Advisory GHSA-93m4-mfpg-c3xf references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Impact

A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.

If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be capt...

References:

• ADVISORY: GHSA-93m4-mfpg-c3xf
• ADVISORY: GHSA-93m4-mfpg-c3xf
• FIX: zitadel/zitadel@c097887

Cross references:

• github.com/zitadel/zitadel appears in 22 other report(s):
  • data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
  • data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
  • data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
  • data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
  • data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
  • data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
  • data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
  • data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
  • data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
  • data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
  • data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
  • data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
  • data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
  • data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
  • data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
  • data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
  • data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)
  • data/reports/GO-2025-3499.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499)
  • data/reports/GO-2025-3671.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      versions:
        - fixed: 0.0.0-20250528081227-c097887bc5f6
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range "< 2.38.2-0.20240919104753-94d1eb767837")
        - introduced: TODO (earliest fixed "2.71.11", vuln range ">= 2.71.0, <= 2.71.10")
        - introduced: 2.38.3
        - fixed: 2.70.12
        - introduced: 3.0.0-rc1
        - fixed: 3.2.2
summary: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
ghsas:
    - GHSA-93m4-mfpg-c3xf
references:
    - advisory: https://github.com/advisories/GHSA-93m4-mfpg-c3xf
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf
    - fix: https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53
notes:
    - fix: 'module merge error: could not merge versions of module github.com/zitadel/zitadel: invalid or non-canonical semver version (found TODO (earliest fixed "", vuln range "< 2.38.2-0.20240919104753-94d1eb767837"))'
    - fix: 'github.com/zitadel/zitadel: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-93m4-mfpg-c3xf
    created: 2025-05-28T18:02:04.515775679Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/677139 mentions this issue: data/reports: add 5 reports