CVE-2025-64717 Overview
A critical authentication bypass vulnerability has been identified in ZITADEL, an open source identity management platform. The vulnerability exists in ZITADEL's federation process and allows auto-linking users from external identity providers (IdPs) to existing users in ZITADEL even when the corresponding IdP has been disabled or the organization has explicitly disallowed federated authentication.
This flaw stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process, potentially allowing unauthenticated attackers to achieve full account takeover.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to link external identities to existing internal user accounts, bypassing organization-mandated security controls and potentially achieving full Account Takeover.
Affected Products
- ZITADEL versions 2.50.0 through 2.71.18
- ZITADEL versions 3.0.0 through 3.4.3
- ZITADEL versions 4.0.0 through 4.6.5
Discovery Timeline
- 2025-11-13 - CVE-2025-64717 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-64717
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) affects ZITADEL's identity federation mechanism. The core issue lies in the platform's failure to validate organization-level login policies during the external identity auto-linking process.
When an organization administrator disables an Identity Provider or disallows federated authentication, these security configurations should prevent any authentication attempts using that IdP. However, the auto-linking process bypassed these checks entirely, creating a significant security gap.
The attack requires network access and exploits the flawed validation logic in the authentication flow. While the attack requires some conditions to be present (such as instance-level IdP configuration), it can be initiated by an unauthenticated attacker, making it particularly concerning for organizations relying on ZITADEL for identity management.
Important mitigating factors include:
- Accounts with Multi-Factor Authentication (MFA) enabled cannot be taken over by this attack
- Only IdPs created at the instance level allow this vulnerability to work; IdPs registered on another organization are always denied in the auto-linking process
Root Cause
The root cause of this vulnerability is improper validation of organization-specific security settings during the identity federation auto-linking process. The platform failed to verify whether the IdP was active and whether the organization's login policy permitted federated authentication before linking external identities to existing user accounts.
Specifically, the authentication flow did not correctly enforce the organization's configured login policy when processing auto-link requests from external identity providers. This oversight allowed authentication attempts through disabled IdPs to succeed, bypassing critical security controls that organization administrators had put in place.
Attack Vector
The attack is network-based and can be executed by an unauthenticated attacker. The exploitation flow involves:
- The attacker identifies a target organization using ZITADEL with a disabled IdP that was configured at the instance level
- The attacker initiates a login using the disabled IdP that should not be available for that organization
- Due to the vulnerability, ZITADEL incorrectly validates the login attempt
- Based on matching criteria (such as email address or other identity attributes), the platform auto-links the attacker's external identity to an existing internal user account
- The attacker gains access to the victim's account, achieving full Account Takeover
For detailed technical information, refer to the GitHub Security Advisory GHSA-j4g7-v4m4-77px.
Detection Methods for CVE-2025-64717
Indicators of Compromise
- Unexpected successful authentication attempts through IdPs that have been administratively disabled
- User accounts linked to external identities from IdPs that should not be permitted for the organization
- Authentication logs showing federation activity from disabled identity providers
- Unusual account linking events that bypass organization login policies
Detection Strategies
- Review authentication logs for successful logins via IdPs that have been disabled at the organization level
- Audit user account linking history to identify any unexpected external identity associations
- Monitor for authentication attempts that reference instance-level IdPs against organizations that have disabled federation
- Implement alerting on any auto-link events that occur outside of expected IdP configurations
Monitoring Recommendations
- Enable detailed logging for all identity federation and auto-linking events
- Configure alerts for authentication attempts using disabled IdPs
- Regularly audit the mapping between external identities and internal user accounts
- Monitor for changes in user account access patterns that may indicate account compromise
How to Mitigate CVE-2025-64717
Immediate Actions Required
- Upgrade ZITADEL to version 2.71.19, 3.4.4, or 4.6.6 immediately
- Audit all user accounts for unexpected external identity linkages
- Review authentication logs for any suspicious federation activity while running vulnerable versions
- Enable MFA for all user accounts as an additional layer of protection against this attack vector
Patch Information
The ZITADEL maintainers have released patched versions that correctly validate the organization's login policy before auto-linking an external user. Organizations should upgrade to one of the following versions:
- Version 2.71.19 - For organizations on the 2.x branch
- Version 3.4.4 - For organizations on the 3.x branch
- Version 4.6.6 - For organizations on the 4.x branch
For complete details on the vulnerability and fix, refer to the GitHub Security Advisory.
Workarounds
- No known workarounds are available aside from upgrading to a patched version
- As a temporary mitigation, enforce MFA for all user accounts to prevent account takeover even if exploitation occurs
- Consider temporarily removing instance-level IdP configurations until the patch can be applied
- Implement additional monitoring and alerting on authentication events to detect potential exploitation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
