CVE-2025-46815 Overview
CVE-2025-46815 is an authentication bypass vulnerability in ZITADEL, an open-source identity infrastructure platform. The vulnerability exists in the Session API's handling of Identity Provider (IdP) intents, which allows developers to manage user sessions and authenticate users through external identity providers. A flaw in the intent validation mechanism permits repeated use of IdP intent tokens, enabling an attacker to hijack authentication sessions and impersonate legitimate users.
Critical Impact
Attackers with access to the application's URI can intercept and reuse IdP intent credentials to authenticate on behalf of legitimate users, potentially gaining unauthorized access to protected resources and the ZITADEL API.
Affected Products
- ZITADEL versions prior to 3.0.0
- ZITADEL versions prior to 2.71.9
- ZITADEL versions prior to 2.70.10
- ZITADEL 3.0.0 release candidates (3.0.0-rc1, 3.0.0-rc2, 3.0.0-rc3)
Discovery Timeline
- May 6, 2025 - CVE-2025-46815 published to NVD
- August 26, 2025 - Last updated in NVD database
Technical Details for CVE-2025-46815
Vulnerability Analysis
The vulnerability stems from insufficient validation of IdP intent tokens within ZITADEL's Session API. When a user authenticates via an external Identity Provider, the flow generates an intent ID and token that are sent to a predefined callback URI. These credentials are designed to be single-use authentication artifacts that prove the user successfully authenticated with the IdP.
However, the vulnerable versions of ZITADEL fail to invalidate these intent credentials after their initial use. This allows an attacker who can intercept or observe the callback URI traffic to capture the intent ID and token, then repeatedly replay them to establish authenticated sessions on behalf of the victim user.
The attack surface is network-based and requires user interaction (such as the legitimate user initiating an IdP authentication flow), combined with the attacker having some form of access to the application's callback URI. While exploitation complexity is elevated due to these prerequisites, successful exploitation results in complete authentication bypass with high impact to confidentiality and integrity.
It's important to note that if Multi-Factor Authentication (MFA) is enabled, the attack is partially mitigated as the attacker would still need to complete additional authentication factors to fully access the ZITADEL API.
Root Cause
The root cause is classified as CWE-294: Authentication Bypass by Capture-Replay. The Session API's IdP intent handling mechanism lacks proper single-use token validation and invalidation. Once an intent is successfully used, the system should immediately invalidate the associated ID and token to prevent reuse. The absence of this invalidation logic creates a replay attack vulnerability where captured authentication artifacts can be reused indefinitely.
Attack Vector
The attack vector is network-based, requiring an attacker to have visibility into the callback URI where IdP intent credentials are delivered. The attack flow involves:
- A legitimate user initiates authentication via an external Identity Provider through ZITADEL
- Upon successful IdP authentication, ZITADEL generates an intent ID and token
- These credentials are sent to the predefined application callback URI
- An attacker with access to observe this URI intercepts the intent ID and token
- The attacker uses these captured credentials to call the Session API
- Due to missing single-use validation, the API accepts the replayed credentials
- The attacker successfully authenticates as the victim user
The vulnerability does not grant complete API access if MFA is configured, as additional authentication factors would still be required. Organizations relying solely on IdP-based authentication without MFA enforcement are at highest risk.
Detection Methods for CVE-2025-46815
Indicators of Compromise
- Multiple successful authentications using identical IdP intent IDs within short time windows
- Authentication events originating from different IP addresses or user agents for the same intent credentials
- Anomalous patterns of session creation following IdP authentication flows
- Unusual timing gaps between IdP authentication completion and subsequent session establishment
Detection Strategies
- Implement logging of all IdP intent ID usage and flag any instances of reuse
- Monitor for authentication attempts from IP addresses or geolocations inconsistent with the user's normal behavior
- Set up alerts for multiple session creations tied to the same user within abnormally short time periods
- Analyze authentication logs for patterns indicating capture-replay activity
Monitoring Recommendations
- Enable detailed audit logging for the ZITADEL Session API, particularly around IdP intent authentication flows
- Deploy network monitoring to detect unauthorized access to callback URIs
- Implement real-time alerting for authentication anomalies based on behavioral baselines
- Consider integrating SIEM solutions to correlate authentication events across your identity infrastructure
How to Mitigate CVE-2025-46815
Immediate Actions Required
- Upgrade ZITADEL to version 3.0.0, 2.71.9, or 2.70.10 depending on your current version branch
- Enable Multi-Factor Authentication (MFA) for all users as an additional protective layer
- Review authentication logs for potential signs of past exploitation
- Ensure callback URIs are secured with HTTPS and proper access controls
Patch Information
ZITADEL has released patched versions that address this vulnerability by implementing proper single-use validation for IdP intent tokens. The fix ensures that once an intent ID and token are used for authentication, they are immediately invalidated and cannot be replayed.
Patched Versions:
For detailed technical information about the fix, refer to the GitHub Security Advisory and the associated commit.
Workarounds
- No known workarounds are available other than upgrading to a patched version
- As a temporary risk reduction measure, enforce MFA for all users to prevent complete authentication bypass
- Restrict network access to callback URIs to trusted sources only
- Consider temporarily disabling IdP-based authentication if upgrading cannot be performed immediately
# Upgrade ZITADEL using Docker (example)
docker pull ghcr.io/zitadel/zitadel:v3.0.0
# Or for the 2.71.x branch
docker pull ghcr.io/zitadel/zitadel:v2.71.9
# Or for the 2.70.x branch
docker pull ghcr.io/zitadel/zitadel:v2.70.10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
